Re: [Samba] Re: pam settings for winbind

Fri, 21 Feb 2003 10:40:47 -0800 

Thank you.  That did the trick.

Chris de Vidal wrote:

--- Aaron Bennett <[EMAIL PROTECTED]> wrote:
I'd also like to configure sshd to use this
winbindd. However, this /etc/pam.d/sshd file doesn't work and I can't figure
out why. I've put + signs to show the lines I added I added to the
stock RHAT 8 sshd pam def.


#%PAM-1.0
+ auth sufficient /lib/security/pam_winbind.so
+ auth sufficient /lib/security/pam_unix.so
use_first_pass
auth required /lib/security/pam_stack.so
service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so
service=system-auth
+ account sufficient /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so
service=system-auth
session required /lib/security/pam_stack.so
service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so

ideas, solutions, and pointers to a FAQ or some good
pam documentation are all appreciated, as I'll be the first to admit
that I don't know my ass from my elbow with regards to pam.

LOL.

I looked at the same document you probably looked at:
http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.html#AEN2358
and used the ftp example for any services I have,
except I leave out the pam_listfile.so line at the
top.

In essense, you want auth sufficient pam_winbind.so
before any other auth lines.  Then you want account
sufficient pam_winbind.so before any other account
lines.

This is different for login-type services like kde,
gdm, and login.  Follow the login example for these.

Also, the pam_unix.so use_first_pass you added is only
necessary for pam.d/login (I believe ssh reads that
after reading pam.d/ssh).  Remove this line.

Following the pattern in the ftp example, account
sufficient pam_winbind.so needs to go immediately
before any account lines.  Move it up one.

Finally, the /lib/security is implied (at least it is
in RedHat 7+... YMMV), so you can shorten it to just
pam_winbind.so, which is slick.

For reference, here is my pam.d/ssh file:
#######################################################
#%PAM-1.0
auth       sufficient   pam_winbind.so
auth       required     /lib/security/pam_stack.so
service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   pam_winbind.so
account    required     /lib/security/pam_stack.so
service=system-auth
password   required     /lib/security/pam_stack.so
service=system-auth
session    required     /lib/security/pam_stack.so
service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
#######################################################


Use the pattern I explained above for any other
services (NetAtalk, FTP, etc.).  Use the login example
for login-type services like kde, login, or gdm (as
you have already done).  SSH seems like it would be a
login-type service, but it doesn't appear to act that
way.

Good luck,
/dev/idal

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


--
Aaron Bennett
UNIX Administrator
Franklin W. Olin College of Engineering


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to