[Samba] LDAP, Active Directory, Redhat 9 Clients

[Kenneth Savoy]

I have configured winbind and pam. I start the samba daemons in the following order : 
smbd, nmbd, winbindd. wbinfo shows users and groups. so does getent. If  I open a 
terminal window and go su THEDOMAIN+user it asks for a password and wont accept 
anything. my smb.conf,nsswitch.conf, /etc/pam.d/samba, /etc/pam.d/login are below. 
Using windows server 2003 for AD, I have two servers, two domains, one for each 
domain. I am only using one domain for now. There is also a seperate LDAP server. Ive 
looked through the documentation and have not found anything that has corrected the 
problem. Does LDAP have to be configured in some way or is there something wrong with 
my configuration?

SMB.CONF
[global]
winbind separator = +
workgroup = THEDOMAIN
netbios name = IBPS12
server string = clients12
security = DOMAIN
password server = MY PDC
idmap uid = 1-2
idmap gid = 1-2


NSSWITCH.CONF
passwd: files winbind
shadow: files
group:  files winbind

hosts:  files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:files nisplus

/etc/pam.d/samba
#%PAM-1.0
auth   required pam_nologin.so
auth   required pam_stack.so service=system-auth
accountrequired pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth

/etc/pam.d/login
#%PAM-1.0
auth   required /lib/security/pam_securetty.so
auth   sufficient   /lib/security/pam_winbind.so
auth   sufficient   /lib/security/pam_UNIX.so use_first_pass
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
accountsufficient   /lib/security/pam_winbind.so
accountrequired /lib/security/pam_stack.so service=system-auth
password   required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] LDAP, Active Directory, Redhat 9 Clients

[Patrick]

su uses /etc/pam.d/su, so if that does not have winbind support then it 
will not accept the user.  An easy way to configure pam on RedHat is to 
use authconfig.  It has an option for windows authentication.  When it 
is turned on it will add the winbind lines to /etc/pam.d/system-auth 
which all pam files on RedHat point to.  The down side to this is they 
will be able to use anything that requires a password.   So for example 
it you have remote x-logins enabled they would be able to login to an 
x-session.

Patrick

Kenneth Savoy wrote:

I have configured winbind and pam. I start the samba daemons in the following order : smbd, nmbd, winbindd. wbinfo shows users and groups. so does getent. If  I open a terminal window and go su THEDOMAIN+user it asks for a password and wont accept anything. my smb.conf,nsswitch.conf, /etc/pam.d/samba, /etc/pam.d/login are below. Using windows server 2003 for AD, I have two servers, two domains, one for each domain. I am only using one domain for now. There is also a seperate LDAP server. Ive looked through the documentation and have not found anything that has corrected the problem. Does LDAP have to be configured in some way or is there something wrong with my configuration?

SMB.CONF
[global]
winbind separator = +
workgroup = THEDOMAIN
netbios name = IBPS12
server string = clients12
security = DOMAIN
password server = MY PDC
idmap uid = 1-2
idmap gid = 1-2
NSSWITCH.CONF
passwd: files winbind
shadow: files
group:  files winbind
hosts:  files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files
netgroup:   files

publickey:  nisplus

automount:  files
aliases:files nisplus
/etc/pam.d/samba
#%PAM-1.0
auth   required pam_nologin.so
auth   required pam_stack.so service=system-auth
accountrequired pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth
/etc/pam.d/login
#%PAM-1.0
auth   required /lib/security/pam_securetty.so
auth   sufficient   /lib/security/pam_winbind.so
auth   sufficient   /lib/security/pam_UNIX.so use_first_pass
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
accountsufficient   /lib/security/pam_winbind.so
accountrequired /lib/security/pam_stack.so service=system-auth
password   required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba