I have a problem with winbind and pam that I just can't quite get past. Here is what I have:
I have a home office with a Windows 2000 active directory domain (domain XYZ). I have a remote office running Samba 3.0.14a connected to the home office via a VPN. All users at the remote office are required to have an account on the active directory domain at the home office for several reasons, including the use of Exchange Server. All client machines at the remote office run XP Pro. The Samba server at the remote office is a domain controller for it's own domain (Workgroup = ABC). I have joined the Samba server to the home office domain, domain XYZ. When I run wbinfo-u I receive a list of users in the home domain of XYZ. When I run getent passwd I also see the users in the home domain. I have successfully joined an XP Pro workstation at the remote office to the remote office domain (ABC). All appears well up to this point, however one of my main goals it to use this setup to authenticate the XP Pro clients logging on to the remote domain (ABC) against their user account in the home domain of XYZ and I can't get that to work. XP Pro just displays the message about unknown user name or bad password. I don't want to have to create user accounts on the Samba server, only have them authenticate against the home domain. Here is the contents of my /etc/pam.d/samba file: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so account required pam_stack.so service=system-auth session required /lib/security/pam_mkhomedir.so skel=/etc/samba/skel umask=0022 session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth What am I doing wrong? Is this possible? It might be worth noting that this is a continuation of another discussion on another board that went as follows (I went with option B below): > Here is what I have: > I have a home office with a Windows 2000 active directory domain. I > have a remote office running Samba 3.0.14a connected to the home > office via a VPN. All users at the remote office are required to have > an account on the active directory domain at the home office for > several reasons, including the use of Exchange Server. All client > machines at the remote office run XP Pro. > > Required Options: > * I need to be able to run logon scripts locally at the remote > office, from the Samba server at the remote office. > * I need for each user to have a single user account and it needs to > be the one in active directory on the domain controller at the home office. > > > Optional Result: > * I would like the XP Pro client machines to still be able to log on > if the VPN connect gets dropped. I believe this is taken care of > already due to the fact that the XP machines will cache the logon > credentials, but I thought I would mention that in case there is a > better way of doing this. > > General Question: > How do I go about setting this up? I have looked at the docs and have > been messing around with several different settings and can't quite > figure it out. > > Specific Questions: > 1.) What samba security mode should I be using? Your choices are: a) Samba configured as an ADS domain member - all domain logons will be handled from the central office - Samba is just a file/print server b) Samba configured as its own domain controller with a trust relationship to the central office domain. - Each remote office will be independant - All network logons will be handled locally > 2.) Should the samba server workgroup setting be unique for the > remote site or the same as the home office domain? Yes, but only if Samba is the domain controller for its own domain. > 3.) Should the samba server be joined to the home office domain? Yes in both cases. > 4.) What domain should the XP Pro clients join, the local domain or > the home office domain? If the Samba server is just an ADS domain member server your XP clients need to be members of the ADS domain. If the Samba server is a PDC for the remote domain and you want logon and authentication to take place in the remote office, the XP client needs to be a member of the local domain. > 5.) Does this require winbind to work? Yes, and Yes. Thanks to all in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba