I have managed to get pam_winbind.so (2.2.7a) to work on IBM AIX 5.2 but the
sys_getpwnam() subroutine still need a user to be defined in the /etc/passwd
file.
Is it nessessary to port winbind_nss to AIX as a loadable authentication
module (sort of similar to nss)?
I have done the following to make pam_winbind.so authenticate a user with
the Windows PDC password:
1 - Configure smb.conf
workgroup = <domainname>
security = DOMAIN
password server = <nt pdc name>
encrypt passwords = Yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
template homedir = /home/%U
template shell = /usr/bin/ksh
2 - Start winbindd
winbindd (I used -i while debugging)
3 - Add users to /etc/passwd
mkuser <username>
4 - Change the SYSTEM attribute for the default: stanza in
/etc/security/user to:
SYSTEM = "WINBIND OR WINBIND[UNAVAIL] AND compat"
5 - Add the following stanzas to /usr/lib/security/methods.cfg:
PAM:
program = /usr/lib/security/PAM
WINBIND:
options = auth=PAM,db=BUILTIN
6 - Create /etc/pam.conf with the following lines (the last entry is the NT
Domain name):
OTHER auth required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok TESTDOM
OTHER account required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok TESTDOM
OTHER session required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok TESTDOM
OTHER password required /usr/lib/security/pam_winbind.so debug
use_first_pass unknown_ok TESTDOM
7 - Patch samba-2.2.7a/source/nsswitch/pam_winbind.c
--- pam_winbind.c Tue Jan 14 13:20:18 2003
+++ pam_winbind.c~patched Tue Jan 14 13:20:10 2003
@@ -10,6 +10,7 @@
*/
#include "pam_winbind.h"
+static char ctrl_domain[64]; /*BR*/
/* prototypes from common.c */
void init_request(struct winbindd_request *req,int rq_type);
@@ -52,6 +53,8 @@
ctrl |= WINBIND_UNKNOWN_OK_ARG;
else {
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
+ bzero(ctrl_domain);
+ strcpy(ctrl_domain,*argv); /*BR*/
}
}
@@ -421,7 +424,20 @@
_pam_log(LOG_INFO, "Verify user `%s'", username);
#endif
}
- return winbind_auth_request(username, password, ctrl);
+/* BR */
+ if (strlen(ctrl_domain)>0) {
+ static char uuu[64];
+ bzero(uuu, sizeof(uuu));
+ strcpy(uuu, ctrl_domain);
+ uuu[strlen(uuu)] = '\\';
+ strcpy(&uuu[strlen(uuu)], username);
+ _pam_log(LOG_INFO, "Verify patched domain user `%s'", uuu);
+ return winbind_auth_request(uuu, password, ctrl);
+ } else {
+ /* Now use the username to look up password */
+ _pam_log(LOG_INFO, "Verify plain user `%s'", username);
+ return winbind_auth_request(username, password, ctrl);
+ }
}
PAM_EXTERN
8 - Compile pam_winbind.c to pam_winbind.so
cd source && make nsswitch
(cd nsswitch&&gcc -lpam -Wl,-bexpall,-bM:SRE,-bnoentry -o
pam_winbind.so pam_winbind.po wb_common.po ../lib/snprintf.po)
9 - Copy pam_winbind.so to /usr/lib/security
cp source/nsswitch/pam_winbind.so /usr/lib/security
chmod 644 /usr/lib/security/pam_winbind.so
10 - Test by using telnetting to the local host and login as a NT Domain
user
tn 0
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
- Re: PAM and winbind on AIX 5.2 Bjorn Roden
- Re: PAM and winbind on AIX 5.2 Gerald (Jerry) Carter
