I just got this working today, thanks to Andy from the BBC. Here is what my pam.conf looks like, warts and all!
# #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_winbind.so login auth requisite pam_authtok_get.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug login auth sufficient pam_dhkeys.so.1 debug login auth sufficient pam_unix_auth.so.1 debug login auth sufficient pam_dial_auth.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth required pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 debug rlogin auth requisite pam_authtok_get.so.1 debug rlogin auth sufficient pam_dhkeys.so.1 debug rlogin auth sufficient pam_unix_auth.so.1 debug #rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 debug rsh auth required pam_unix_auth.so.1 debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 debug ppp auth required pam_dhkeys.so.1 debug ppp auth required pam_unix_auth.so.1 debug ppp auth required pam_dial_auth.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient pam_winbind.so other auth requisite pam_authtok_get.so.1 debug other auth sufficient pam_dhkeys.so.1 debug other auth sufficient pam_unix_auth.so.1 debug #other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 debug cron account required pam_unix_account.so.1 debug # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_winbind.so other account requisite pam_roles.so.1 debug other account sufficient pam_projects.so.1 debug other account sufficient pam_unix_account.so.1 debug #other account sufficient /usr/lib/security/pam_winbind.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_mkhomedir.so skel=/etc/skel umask=0022 other session required pam_unix_session.so.1 debug other session sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug #other session required pam_mkhomedir.so.1 debug skel=/etc/skel umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 debug # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass -----Original Message----- From: Buchan Milne [mailto:[EMAIL PROTECTED] Sent: 04 February 2004 16:17 To: Tim Simpson Cc: [EMAIL PROTECTED] Subject: Re: [Samba] How do I get pam_mkhomedir to work On 3 Feb 2004, Tim Simpson wrote: > Message follows this disclaimer > ---------------------------------------------------------------------- > ---------------------------- > This email and any files transmitted with it is confidential and intended solely > for the person or organisation to whom it is addressed. This mail is not addressed to me, may I read it? ;-) > Sorry if this is a simple question but I have been struggling for many > days trying to samba-3.0.2rc2 working with a win2k AD > > wbinfo -t works > wbinfo -u works > wbinfo -g works > > getent passwd username works > > sharing dirs works > > in fact everything seems to work with the exception of a users > directory being created using pam_mkhomedir.so > > I am running on Redhat 9 with Samba 3.0.2rc2 > > Samba was built using the following options configure --with-quotas --with-pam > > I presume it is something wrong with my pam config which follows > > #%PAM-1.0 > auth required pam_securetty.so > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > auth sufficient pam_winbind.so > auth required pam_env.so > auth required pam_unix.so nullok use_first_pass > account sufficient pam_winbind.so > account required pam_unix.so > #account required pam_stack.so service=system-auth > #password required pam_stack.so service=system-auth > #session required pam_stack.so service=system-auth > #session optional pam_console.so > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ > umask=0022 password required pam_unix.so nullok obscure min=4 max=8 > session required pam_unix.so session optional pam_lastlog.so > session optional pam_motd.so > session optional pam_mail.so standard noenv > > I have tried many varations of this file from various postings but all > to no avail > > the relevant part of smb.conf follow > > # Global parameters > [global] > workgroup = LEARNINGDOMAIN > realm = LEARNINGDOMAIN.ORG > server string = %L running Samba %v > security = ADS > obey pam restrictions = Yes > password server = pdc.learningdomain.org > passwd program = /usr/bin/passwd %u > unix password sync = Yes > log level = 3 > log file = /var/log/samba/log.%m > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > template shell = /bin/bash > winbind separator = + > [shares] > force create mode = 0660 > force directory mode = 0770 > [homes] > path = /home/%D/%U > browseable = no > read only = no > create mask = 0600 > directory mask = 0700 > writable = yes > > > > if I try su - DOMAIN+Username from a shell prompt > > I get the following reply > > [EMAIL PROTECTED] pam.d]# su - LEARNINGDOMAIN+Administrator > su: warning: cannot change directory to > /home/LEARNINGDOMAIN/Administrator: No such file or directory > -bash-2.05b$ > pam_mkhomedir doesn't make deep directories ... does /home/LEARNINGDOMAIN exist? And, you don't mention which pam config file you are editing, but it is most likely more useful to do this in system-auth, then if you set 'obey pam restrictions = yes' in smb.conf, samba will even make the home directories (or any app pam application with session support ... Regards, Buchan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
