--- Aaron Bennett <[EMAIL PROTECTED]> wrote: > I'd also like to configure sshd to use this > winbindd. However, this > /etc/pam.d/sshd file doesn't work and I can't figure > out why. I've put > + signs to show the lines I added I added to the > stock RHAT 8 sshd pam def. > > > #%PAM-1.0 > + auth sufficient > /lib/security/pam_winbind.so > + auth sufficient /lib/security/pam_unix.so > use_first_pass > auth required /lib/security/pam_stack.so > service=system-auth > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_stack.so > service=system-auth > + account sufficient > /lib/security/pam_winbind.so > password required /lib/security/pam_stack.so > service=system-auth > session required /lib/security/pam_stack.so > service=system-auth > session required /lib/security/pam_limits.so > session optional /lib/security/pam_console.so > > ideas, solutions, and pointers to a FAQ or some good > pam documentation > are all appreciated, as I'll be the first to admit > that I don't know my > ass from my elbow with regards to pam.
LOL. I looked at the same document you probably looked at: http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.html#AEN2358 and used the ftp example for any services I have, except I leave out the pam_listfile.so line at the top. In essense, you want auth sufficient pam_winbind.so before any other auth lines. Then you want account sufficient pam_winbind.so before any other account lines. This is different for login-type services like kde, gdm, and login. Follow the login example for these. Also, the pam_unix.so use_first_pass you added is only necessary for pam.d/login (I believe ssh reads that after reading pam.d/ssh). Remove this line. Following the pattern in the ftp example, account sufficient pam_winbind.so needs to go immediately before any account lines. Move it up one. Finally, the /lib/security is implied (at least it is in RedHat 7+... YMMV), so you can shorten it to just pam_winbind.so, which is slick. For reference, here is my pam.d/ssh file: ####################################################### #%PAM-1.0 auth sufficient pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account sufficient pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so ####################################################### Use the pattern I explained above for any other services (NetAtalk, FTP, etc.). Use the login example for login-type services like kde, login, or gdm (as you have already done). SSH seems like it would be a login-type service, but it doesn't appear to act that way. Good luck, /dev/idal __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
