Try this: auth sufficient pam_winbind.so debug auth required pam_stack.so service=system-auth account sufficient pam_winbind.so debug account sufficient pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so
Once winbind passes and is sufficient the rest of the checks in that "stack" are skipped. If you run the pam_unix check first and it fails then the stack will fail regardless. Josh -----Original Message----- From: McNally, Ian [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: [Samba] pam_winbind succeeds but pam_unix fails ! Hi, I am attempting to authenticate ssh access against users in active directory using winbind + pam . Unfortunately all they receive is "permission denied, please try again". A tail -f of /var/log/messages reveals : Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: check pass; user unknown Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost.localdomain Apr 30 12:32:41 HOST pam_winbind[3011]: Verify user `DOMAIN+bob' Apr 30 12:32:42 HOST pam_winbind[3011]: user 'DOMAIN+bob' granted acces The server users are sshing to is running samba 3.0.2 of Fedora core 1. as a domain member server. wbinfo and getent commands work correctly on the samba server, and chown files as active directory users works. I know I have missed something simple, but for the life of me, I can't find what it is /etc/pam.d/sshd auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so debug account sufficient pam_stack.so service=system-auth account sufficient pam_winbind.so debug password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so Please Note: This communication has been sent on behalf of The Royal Automobile Club of Queensland Limited (RACQ). The information contained in this communication may be privileged and confidential. If you are not the intended recipient, any use, disclosure or copying of this communication is expressly prohibited. If you have received this communication in error, please delete it immediately. RACQ and its associated entities do not warrant or represent that this communication (including any enclosed files) is free from electronic viruses, faults or defects. If this is a commercial electronic message within the meaning of the Spam Act(2003), you may indicate that you do not wish to receive any further commercial electronic messages from RACQ by sending an e-mail to [EMAIL PROTECTED] with your details or by contacting RACQ on 131905 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba