Christoph Scheeder wrote:
Hi, 2 points: 1.) use the smb.conf which gives you a working wbinfo. 2.) this sounds like missconfigured pam to me. -you have to tell pam that winbind is "sufficient" for "auth" and "account" with the lines
Here's the /etc/pam.d/logon file info. This must be working because of the dual authentication when logging in at the terminal. In fact if you open a new terminal sessions and log in there, the primary [F1] screen will show "pam_winbind[451]: user 'root' granted access".
Further, when attempting to log on with an ADS account, although the log in fails, pam_winbind grants access.
Here's the file info:
# # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the "login" service #
# auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system auth sufficient /usr/local/lib/pam_winbind.so # account account requisite pam_securetty.so account include system account sufficient /usr/local/lib/pam_winbind.so
# session session include system
# password password include system
"account sufficient pam_winbind.so" and "auth sufficient pam_winbind.so"
this drops the need for the local posix-account. -And for the "auth" modify the line with pam_unix.so to read like
"auth required pam_unix.so use_first_pass nullok"
this gets you rid of the second password-prompt.
hope it helps. Christoph
Tom Skeren schrieb:
Jeremy Allison wrote:
On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:Well, I've followed every how to that I can find. I have some strangeness. When I log into the unix terminal I have to supply 2 root passwords...the posix one and the one for root in ADS (they're different)....to login. The same for a user with both posix and ADS accounts. Non posix account users cannot login with an ADS account to the terminal.
I'm about ready to smash my head through a wall...I could use a few answers.
1. When using security = ads, and completing net ads join, it was my understanding that samba authenticated username/pword against ads, and local posix accounts were nolonger needed, is this true?
Yes, so long as you have nsswitch and pam set up correctly. It sounds
like you don't.
Depending on changes to the smb.conf file I get wild results with winbindd. One config gives users and groups with a wbinfo -u/g command. Others error out with differing reasons for the errors.
I'm really not sure where the error is...it should be working, but it is not.
Jeremy.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba