Buchan, First off, thanks for the reply, it's greatly appreciated.
I decided to leave it alone for a day or two and re-visit the configuration and was able to successfully get things working on my first attempt. Here's what I ended up with for my /etc/pam.d/sshd: auth required pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required pam_unix.so use_first_pass shadow auth required pam_env.so account sufficient /lib/security/pam_winbind.so account required pam_unix.so use_first_pass session sufficient pam_mkhomedir.so skel=/etc/skel umask=0022 session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv session required pam_limits.so password sufficient /lib/security/pam_winbind.so password required pam_unix.so So you can see that you were correct in regards to use_pass_first. I'm not sure if everything I have in here is necessary, but it appears to be working, so I may tweak things a little to find out exactly what *is* required. > > account required pam_unix.so use_first_pass > > You might need "try_first_pass" here too. I'll find out today if this is necessary or not. > openssh's approach to solving the longer delay for a valid user account > (account discovery bug) was to give a pam authentication failure first > for any connection (as I understand this). So, your "use_first_pass" is > getting a bad password, and you aren't allowing it to prompt for a 2nd > attempt. > > BTW, you don't see this with public key authentication ... so the > default /etc/pam.d/system-auth is broken for ssh too if you use drakauth > to setup winbind :-(. Thanks again, -=tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
