RE: [Samba] help with winbind/pam
I use Redhat 9.0 and I have it working, I'm not sure if it's the same on Debian but here are what my files look like. They were generated by the 'authconfig' tool. The only line I added manually was the pam_mkhomedir.so line. My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically makes home directories, you may not want that, it puts them in 'template homedir' which is specified in smb.conf) #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_UNIX.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so umask=0022 sessionoptional pam_console.so My /etc/pam.d/gdm looks like this - #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so sessionrequired pam_mkhomedir.so skel=/etc/skel umask=0022 /etc/pam.d/system-auth looks like this - #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so -Original Message- From: Charles McLaughlin [mailto:[EMAIL PROTECTED] Sent: 19 December 2003 05:19 To: [EMAIL PROTECTED] Subject: [Samba] help with winbind/pam Hello, I'm trying to get a debian sid box to authenticate against an NT4 domain. I've followed the instructions in the winbindd man page and I think I'm on the right track. However, I'm having problems with PAM. As the winbindd man page suggests, I edited the /etc/nsswitch.conf and added some winbindd related stuff to my smb.conf file. I also edited the /etc/pam.d/* files. This is where I'm having problems... more on that later. I joined the domain using this: net join -U Administrator I was prompted for a password and was allowed to join the domain. I ran the winbindd program just to make sure it is up and running, then I did this: wbinfo -t And that told me that the trust relationship with the domain is ok. So, my linux box is part of the NT4 domain and things look good. I can walk over to the N4 domain controller and see a computer account for my linux box. I can do wbinfo -u on my linux box and see a list of all the windows domain users... and I'm starting to smell success. But wait... Here is where the problem starts. I want use a Windows domain account to login to the linux box. For instance, I should be able to use the windows Administrator account to login on my linux box. So I go to a terminal and try to log in as Administrator and it says "permission denied". I've screwed around with the /etc/pam.d/* files enough to allow me to login via a linux terminal using the Windows Administrator account, but I haven't been able to do the same with GDM/Gnome. I eventually screwed around with these files enough to lock myself out of my system, but got back in. ;-) So, I guess I need help understanding the /etc/pam.d/* files. The winbindd man page says this: --- In /etc/pam.d/* replace the auth lines with something like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok Note in particular the use of the sufficient keyword and the use_first_pass keyword. Now replace the account lines with this: account required /lib/security/pam_winbind.so --- When I edited the pam.d files, anytime I saw a line that starts with auth, I commented it out and inserted all of the above lines that start with auth. Likewise, I made similar edits for lines that start with account. I don't really understand with this means though... Any suggestions? Am I doing something out of order? Thanks! Charles -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/l
RE: [Samba] Help with Winbind
Sure, I'll let you know, but could you pass along what you have for pam_mount? I didn't even start down that path yet. I'm glad to here I'm not alone though. Additionally, this may sound really naive, but what's the point of logging into a domain if you can't get anywhere? Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: Aaron Bennett [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 9:11 AM To: Khanh Tran Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Help with Winbind Kanh -- I'm currently beating my head against the pam_mount wall, with no luck. It's the only way I can think of to do this w/o storing the password in plain text. pam_mount is supposed to be able to mount using the login credentials, but I haven't been able to make it work. I'll report any results I find. If you come across any other solutions, could you let me know? Cheers, Aaron Bennett Khanh Tran wrote: > OK, so I got all pam problems sorted out. For those interested, this > pam/gdm worked on my RH 8.0 box: > > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so likeauth use_first_pass > nullok > auth required /lib/security/pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so > accountsufficient /lib/security/pam_winbind.so > accountrequired /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > sessionrequired /lib/security/pam_stack.so service=system-auth > sessionoptional /lib/security/pam_console.so > > The only difference from what I had been using was the addition of the > likeauth and nullok options on the pam_unix.so library. > > Now on to my next issue with home directories! I've tried two methods. > > First, I've used what the Winbind docs says for template homedir in > smb.conf: /home/%D/%U. When my user logs in, i get an error that the home > directory does not exist and then logs the user out. This is expected > because they don't exist locally :) > > Second, I tried first mounting all my users' home directories (we mount them > here under windows like Novell used to) under /home.DOMAIN. Then, I changed > template homdir to /home/home.%D and restarted the Samba daemons. The user > can log in, but I get the following permission error because I've got the > home dirs mounted as root. > > Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory > /home.DOMAIN/user/.gnome2 does not exist. > Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory > /home.DOMAIN/user/.gnome2 does not exist. > Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is not > owned by uid 10173. > Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user > DOMAIN\user > > So, I guess my question is, is there a way to mount each user's home > directory with their proper auth credentials under unix? I've read through > the MARC archives and seen brief mentions of a hacked pam_mount, but nothing > detailed or a more "standard" solution. > > Thanks again for everyone's help. > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -Original Message- > From: Aaron Bennett [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 4:51 PM > To: Khanh Tran > Cc: '[EMAIL PROTECTED]' > Subject: Re: [Samba] Help with Winbind > > > For debugging purposes, put the machine in console mode (init 4 or > whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as > directed in the Howto. Login is much simpler then gdm, so you don't > have to worry about multiple levels of pam stuf. > > best luck, > > Aaron Bennett > UNIX Administrator > Franklin W. Olin College of Engineering > > Khanh Tran wrote: > >>OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for > > me > >>to re-install RH on this box, so I didn't bother with the telnet test. >> >>Anyway, I put in my username and password, and get this error: >>Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; > > logname= > >>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost >> >>But RH doesn't return to the username prompt, it asks for the password >>again, so I enter the same password again, and get: >>Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces >>Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown >>Feb 19 14:33:48 Martyr gdm-
Re: [Samba] Help with Winbind
Kanh -- I'm currently beating my head against the pam_mount wall, with no luck. It's the only way I can think of to do this w/o storing the password in plain text. pam_mount is supposed to be able to mount using the login credentials, but I haven't been able to make it work. I'll report any results I find. If you come across any other solutions, could you let me know? Cheers, Aaron Bennett Khanh Tran wrote: OK, so I got all pam problems sorted out. For those interested, this pam/gdm worked on my RH 8.0 box: auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth use_first_pass nullok auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so The only difference from what I had been using was the addition of the likeauth and nullok options on the pam_unix.so library. Now on to my next issue with home directories! I've tried two methods. First, I've used what the Winbind docs says for template homedir in smb.conf: /home/%D/%U. When my user logs in, i get an error that the home directory does not exist and then logs the user out. This is expected because they don't exist locally :) Second, I tried first mounting all my users' home directories (we mount them here under windows like Novell used to) under /home.DOMAIN. Then, I changed template homdir to /home/home.%D and restarted the Samba daemons. The user can log in, but I get the following permission error because I've got the home dirs mounted as root. Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory /home.DOMAIN/user/.gnome2 does not exist. Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory /home.DOMAIN/user/.gnome2 does not exist. Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is not owned by uid 10173. Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user DOMAIN\user So, I guess my question is, is there a way to mount each user's home directory with their proper auth credentials under unix? I've read through the MARC archives and seen brief mentions of a hacked pam_mount, but nothing detailed or a more "standard" solution. Thanks again for everyone's help. Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: Aaron Bennett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 4:51 PM To: Khanh Tran Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Help with Winbind For debugging purposes, put the machine in console mode (init 4 or whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as directed in the Howto. Login is much simpler then gdm, so you don't have to worry about multiple levels of pam stuf. best luck, Aaron Bennett UNIX Administrator Franklin W. Olin College of Engineering Khanh Tran wrote: OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for me to re-install RH on this box, so I didn't bother with the telnet test. Anyway, I put in my username and password, and get this error: Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost But RH doesn't return to the username prompt, it asks for the password again, so I enter the same password again, and get: Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost I'm guessing from the error that the box is trying to authenticate the user to the local passwd file? Anyway, thanks again for the help, but any more ideas? Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 2:24 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: RE: [Samba] Help with Winbind Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote: I changed the pam conf per the 12.5.3.6 section. Here's what I've got: pam.d/login: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth
RE: [Samba] Help with Winbind
OK, so I got all pam problems sorted out. For those interested, this pam/gdm worked on my RH 8.0 box: auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth use_first_pass nullok auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so The only difference from what I had been using was the addition of the likeauth and nullok options on the pam_unix.so library. Now on to my next issue with home directories! I've tried two methods. First, I've used what the Winbind docs says for template homedir in smb.conf: /home/%D/%U. When my user logs in, i get an error that the home directory does not exist and then logs the user out. This is expected because they don't exist locally :) Second, I tried first mounting all my users' home directories (we mount them here under windows like Novell used to) under /home.DOMAIN. Then, I changed template homdir to /home/home.%D and restarted the Samba daemons. The user can log in, but I get the following permission error because I've got the home dirs mounted as root. Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory /home.DOMAIN/user/.gnome2 does not exist. Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory /home.DOMAIN/user/.gnome2 does not exist. Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is not owned by uid 10173. Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user DOMAIN\user So, I guess my question is, is there a way to mount each user's home directory with their proper auth credentials under unix? I've read through the MARC archives and seen brief mentions of a hacked pam_mount, but nothing detailed or a more "standard" solution. Thanks again for everyone's help. Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: Aaron Bennett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 4:51 PM To: Khanh Tran Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Help with Winbind For debugging purposes, put the machine in console mode (init 4 or whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as directed in the Howto. Login is much simpler then gdm, so you don't have to worry about multiple levels of pam stuf. best luck, Aaron Bennett UNIX Administrator Franklin W. Olin College of Engineering Khanh Tran wrote: > OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for me > to re-install RH on this box, so I didn't bother with the telnet test. > > Anyway, I put in my username and password, and get this error: > Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; logname= > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > > But RH doesn't return to the username prompt, it asks for the password > again, so I enter the same password again, and get: > Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces > Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown > Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user > Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; > logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > > I'm guessing from the error that the box is trying to authenticate the user > to the local passwd file? Anyway, thanks again for the help, but any more > ideas? > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -Original Message- > From: bin wen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 2:24 PM > To: Khanh Tran; '[EMAIL PROTECTED]' > Subject: RE: [Samba] Help with Winbind > > > Looks like you are login through GDM, so you probably > have to change the /etc/pam/gdm file too. Before you > do that, you may want to just do a telnet to the RH > see what happens. > --- Khanh Tran <[EMAIL PROTECTED]> wrote: > >>I changed the pam conf per the 12.5.3.6 section. >>Here's what I've got: >> >>pam.d/login: >>#%PAM-1.0 >>auth required >>/lib/security/pam_securetty.so >>auth sufficient /lib/security/pam_winbind.so >>auth sufficient /lib/security/pam_unix.so >>use_first_pass >>auth required /lib/security/pam_stack.so >>service=system-auth >>auth required /lib/security/pam_nologi
Re: [Samba] Help with Winbind
For debugging purposes, put the machine in console mode (init 4 or whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as directed in the Howto. Login is much simpler then gdm, so you don't have to worry about multiple levels of pam stuf. best luck, Aaron Bennett UNIX Administrator Franklin W. Olin College of Engineering Khanh Tran wrote: OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for me to re-install RH on this box, so I didn't bother with the telnet test. Anyway, I put in my username and password, and get this error: Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost But RH doesn't return to the username prompt, it asks for the password again, so I enter the same password again, and get: Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost I'm guessing from the error that the box is trying to authenticate the user to the local passwd file? Anyway, thanks again for the help, but any more ideas? Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 2:24 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: RE: [Samba] Help with Winbind Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote: I changed the pam conf per the 12.5.3.6 section. Here's what I've got: pam.d/login: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 1:58 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: Re: [Samba] Help with Winbind From your log file, it looks like the RH still uses the pam_unix module to authenticate. Have you changed the pam configuration to use winbindd following the isntruction in section 12.5.3.6 ? --- Khanh Tran <[EMAIL PROTECTED]> wrote: I've been trying for weeks to get winbind working with RedHat Linux 8.0. I've got everything setup per the winbind docs on http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. I've successfully joined my NT4 domain with smbpasswd -j DOMAIN -r PDC -U Administrator. Running wbinfo -u returns my domain user list, as well as wbinfo -g returning my domain groups. getent passwd returns the domain user list in the passwd format, and getent group does the same. I've then set up my /etc/pam.d/login to match the one on the HOWTO. The problem is that when I go to login (username: DOMAIN+user), the workstation won't log me in. My messages log returns only: Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check pass; user unknown Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't authenticate user Any help is greatly appreciated, and thanks in advance! Khanh Tran Network Operations Sarah Lawrence College -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help with Winbind
OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for me to re-install RH on this box, so I didn't bother with the telnet test. Anyway, I put in my username and password, and get this error: Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost But RH doesn't return to the username prompt, it asks for the password again, so I enter the same password again, and get: Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost I'm guessing from the error that the box is trying to authenticate the user to the local passwd file? Anyway, thanks again for the help, but any more ideas? Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 2:24 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: RE: [Samba] Help with Winbind Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote: > I changed the pam conf per the 12.5.3.6 section. > Here's what I've got: > > pam.d/login: > #%PAM-1.0 > auth required > /lib/security/pam_securetty.so > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so > use_first_pass > auth required /lib/security/pam_stack.so > service=system-auth > auth required /lib/security/pam_nologin.so > accountsufficient /lib/security/pam_winbind.so > accountrequired /lib/security/pam_stack.so > service=system-auth > password required /lib/security/pam_stack.so > service=system-auth > sessionrequired /lib/security/pam_stack.so > service=system-auth > sessionoptional /lib/security/pam_console.so > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -Original Message----- > From: bin wen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 1:58 PM > To: Khanh Tran; '[EMAIL PROTECTED]' > Subject: Re: [Samba] Help with Winbind > > > From your log file, it looks like the RH still uses > the pam_unix module to authenticate. Have you > changed > the pam configuration to use winbindd following the > isntruction in section 12.5.3.6 ? > --- Khanh Tran <[EMAIL PROTECTED]> wrote: > > I've been trying for weeks to get winbind working > > with RedHat Linux 8.0. > > I've got everything setup per the winbind docs on > > > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. > > > > > > I've successfully joined my NT4 domain with > > smbpasswd -j DOMAIN -r PDC -U > > Administrator. Running wbinfo -u returns my > domain > > user list, as well as > > wbinfo -g returning my domain groups. getent > passwd > > returns the domain user > > list in the passwd format, and getent group does > the > > same. I've then set up > > my /etc/pam.d/login to match the one on the HOWTO. > > > > The problem is that when I go to login (username: > > DOMAIN+user), the > > workstation won't log me in. My messages log > > returns only: > > > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check > > pass; user unknown > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: > > authentication failure; logname= > > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > > Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't > > authenticate user > > > > Any help is greatly appreciated, and thanks in > > advance! > > > > Khanh Tran > > Network Operations > > Sarah Lawrence College > > > > -- > > To unsubscribe from this list go to the following > > URL and read the > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > __ > Do you Yahoo!? > Yahoo! Shopping - Send Flowers for Valentine's Day > http://shopping.yahoo.com > __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help with Winbind
OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for me to re-install RH on this box, so I didn't bother with the telnet test. Anyway, I put in my username and password, and get this error: Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost But RH doesn't return to the username prompt, it asks for the password again, so I enter the same password again, and get: Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost I'm guessing from the error that the box is trying to authenticate the user to the local passwd file? Anyway, thanks again for the help, but any more ideas? Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 2:24 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: RE: [Samba] Help with Winbind Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote: > I changed the pam conf per the 12.5.3.6 section. > Here's what I've got: > > pam.d/login: > #%PAM-1.0 > auth required > /lib/security/pam_securetty.so > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so > use_first_pass > auth required /lib/security/pam_stack.so > service=system-auth > auth required /lib/security/pam_nologin.so > accountsufficient /lib/security/pam_winbind.so > accountrequired /lib/security/pam_stack.so > service=system-auth > password required /lib/security/pam_stack.so > service=system-auth > sessionrequired /lib/security/pam_stack.so > service=system-auth > sessionoptional /lib/security/pam_console.so > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -Original Message----- > From: bin wen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 1:58 PM > To: Khanh Tran; '[EMAIL PROTECTED]' > Subject: Re: [Samba] Help with Winbind > > > From your log file, it looks like the RH still uses > the pam_unix module to authenticate. Have you > changed > the pam configuration to use winbindd following the > isntruction in section 12.5.3.6 ? > --- Khanh Tran <[EMAIL PROTECTED]> wrote: > > I've been trying for weeks to get winbind working > > with RedHat Linux 8.0. > > I've got everything setup per the winbind docs on > > > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. > > > > > > I've successfully joined my NT4 domain with > > smbpasswd -j DOMAIN -r PDC -U > > Administrator. Running wbinfo -u returns my > domain > > user list, as well as > > wbinfo -g returning my domain groups. getent > passwd > > returns the domain user > > list in the passwd format, and getent group does > the > > same. I've then set up > > my /etc/pam.d/login to match the one on the HOWTO. > > > > The problem is that when I go to login (username: > > DOMAIN+user), the > > workstation won't log me in. My messages log > > returns only: > > > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check > > pass; user unknown > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: > > authentication failure; logname= > > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > > Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't > > authenticate user > > > > Any help is greatly appreciated, and thanks in > > advance! > > > > Khanh Tran > > Network Operations > > Sarah Lawrence College > > > > -- > > To unsubscribe from this list go to the following > > URL and read the > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > __ > Do you Yahoo!? > Yahoo! Shopping - Send Flowers for Valentine's Day > http://shopping.yahoo.com > __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help with Winbind
Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote: > I changed the pam conf per the 12.5.3.6 section. > Here's what I've got: > > pam.d/login: > #%PAM-1.0 > auth required > /lib/security/pam_securetty.so > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so > use_first_pass > auth required /lib/security/pam_stack.so > service=system-auth > auth required /lib/security/pam_nologin.so > accountsufficient /lib/security/pam_winbind.so > accountrequired /lib/security/pam_stack.so > service=system-auth > password required /lib/security/pam_stack.so > service=system-auth > sessionrequired /lib/security/pam_stack.so > service=system-auth > sessionoptional /lib/security/pam_console.so > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -Original Message- > From: bin wen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 1:58 PM > To: Khanh Tran; '[EMAIL PROTECTED]' > Subject: Re: [Samba] Help with Winbind > > > From your log file, it looks like the RH still uses > the pam_unix module to authenticate. Have you > changed > the pam configuration to use winbindd following the > isntruction in section 12.5.3.6 ? > --- Khanh Tran <[EMAIL PROTECTED]> wrote: > > I've been trying for weeks to get winbind working > > with RedHat Linux 8.0. > > I've got everything setup per the winbind docs on > > > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. > > > > > > I've successfully joined my NT4 domain with > > smbpasswd -j DOMAIN -r PDC -U > > Administrator. Running wbinfo -u returns my > domain > > user list, as well as > > wbinfo -g returning my domain groups. getent > passwd > > returns the domain user > > list in the passwd format, and getent group does > the > > same. I've then set up > > my /etc/pam.d/login to match the one on the HOWTO. > > > > The problem is that when I go to login (username: > > DOMAIN+user), the > > workstation won't log me in. My messages log > > returns only: > > > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check > > pass; user unknown > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: > > authentication failure; logname= > > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > > Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't > > authenticate user > > > > Any help is greatly appreciated, and thanks in > > advance! > > > > Khanh Tran > > Network Operations > > Sarah Lawrence College > > > > -- > > To unsubscribe from this list go to the following > > URL and read the > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > __ > Do you Yahoo!? > Yahoo! Shopping - Send Flowers for Valentine's Day > http://shopping.yahoo.com > __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help with Winbind
I changed the pam conf per the 12.5.3.6 section. Here's what I've got: pam.d/login: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so Khanh Tran Network Operations Sarah Lawrence College -Original Message- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 1:58 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: Re: [Samba] Help with Winbind >From your log file, it looks like the RH still uses the pam_unix module to authenticate. Have you changed the pam configuration to use winbindd following the isntruction in section 12.5.3.6 ? --- Khanh Tran <[EMAIL PROTECTED]> wrote: > I've been trying for weeks to get winbind working > with RedHat Linux 8.0. > I've got everything setup per the winbind docs on > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. > > > I've successfully joined my NT4 domain with > smbpasswd -j DOMAIN -r PDC -U > Administrator. Running wbinfo -u returns my domain > user list, as well as > wbinfo -g returning my domain groups. getent passwd > returns the domain user > list in the passwd format, and getent group does the > same. I've then set up > my /etc/pam.d/login to match the one on the HOWTO. > > The problem is that when I go to login (username: > DOMAIN+user), the > workstation won't log me in. My messages log > returns only: > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check > pass; user unknown > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: > authentication failure; logname= > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't > authenticate user > > Any help is greatly appreciated, and thanks in > advance! > > Khanh Tran > Network Operations > Sarah Lawrence College > > -- > To unsubscribe from this list go to the following > URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help with Winbind
>From your log file, it looks like the RH still uses the pam_unix module to authenticate. Have you changed the pam configuration to use winbindd following the isntruction in section 12.5.3.6 ? --- Khanh Tran <[EMAIL PROTECTED]> wrote: > I've been trying for weeks to get winbind working > with RedHat Linux 8.0. > I've got everything setup per the winbind docs on > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. > > > I've successfully joined my NT4 domain with > smbpasswd -j DOMAIN -r PDC -U > Administrator. Running wbinfo -u returns my domain > user list, as well as > wbinfo -g returning my domain groups. getent passwd > returns the domain user > list in the passwd format, and getent group does the > same. I've then set up > my /etc/pam.d/login to match the one on the HOWTO. > > The problem is that when I go to login (username: > DOMAIN+user), the > workstation won't log me in. My messages log > returns only: > > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check > pass; user unknown > Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: > authentication failure; logname= > uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost > Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't > authenticate user > > Any help is greatly appreciated, and thanks in > advance! > > Khanh Tran > Network Operations > Sarah Lawrence College > > -- > To unsubscribe from this list go to the following > URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] help with winbind!
On 19 Nov 2002, Wilson A. Galafassi Jr. wrote: > hello! > any help me with winbind. > i need to use samba/winbind just only to provide autentication with ntlm > for squid. > programs versions: linux rh 8.0 - squid 2.5S1 - samba 2.2.6 > > remember: the use of samba/winbind is only to provide autentication for > squid with ntlm. > > MY smb.conf > workgroup = CENTROADM > password server = PMF > security = domain > winbind uid = 1-2 > winbind gid = 1-2 > winbind use default domain = yes > > that configuration of smb.conf is in SQUID FAQ. > > ok. when i join in a domain is everything ok. but when i type wbinfo -t > says: could not check secret. The samba default is "security = user", for this to work you need "security = domain", plus you need "password server = *", then you need to join the domain: 1. On the NT domain use server manager to add an account for a member server/workstation called centroadm. 2. smbpasswd -j PMF -r "PMF's PDC" -U administrator > > what is incorrect? > any help me > > thanks > > wilson > > - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] help with winbind!
Is samba running ?? ps -ae | grep smbd Josh -Original Message- From: Wilson A. Galafassi Jr. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 11:54 AM To: [EMAIL PROTECTED] Subject: [Samba] help with winbind! hello! any help me with winbind. i need to use samba/winbind just only to provide autentication with ntlm for squid. programs versions: linux rh 8.0 - squid 2.5S1 - samba 2.2.6 remember: the use of samba/winbind is only to provide autentication for squid with ntlm. MY smb.conf workgroup = CENTROADM password server = PMF security = domain winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes that configuration of smb.conf is in SQUID FAQ. ok. when i join in a domain is everything ok. but when i type wbinfo -t says: could not check secret. what is incorrect? any help me thanks wilson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba