Re: [Samba] ADS Authentication

Wed, 08 Dec 2004 00:03:27 -0800 

Hi,
Your pam.d/logon file locks nice, mostly......
as you stated, the winbind part is authenticating correct, so you would
be able to login with an ADS account, if not the pam system would try to
verify the posix-account too.
This is why you get asked for the second password.
As i'm running linux and you FreeBSD there are differences in the syntax
of the pam-files.
There must be an option like "use_first_pass" in your system too, and i
guess it would apply to the lines calling the "system"-module.
You'll have to check your pam documentation for this.
It is definitly not a samba problem.
After winbind authenticated the user there is no part of samba involved
in the login process anymore.
Christoph

Tom Skeren schrieb: 
Christoph Scheeder wrote:

Hi,
2 points:
1.) use the smb.conf which gives you a working wbinfo.
2.) this sounds like missconfigured pam to me.
   -you have to tell pam that winbind is "sufficient" for "auth" and
    "account" with the lines


Here's the /etc/pam.d/logon file info. This must be working because of the dual authentication when logging in at the terminal. In fact if you open a new terminal sessions and log in there, the primary [F1] screen will show "pam_winbind[451]: user 'root' granted access".

Further, when attempting to log on with an ADS account, although the log in fails, pam_winbind grants access.
Here's the file info:

#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so
# account
account         requisite       pam_securetty.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

# password
password        include         system


    "account   sufficient pam_winbind.so" and
    "auth      sufficient pam_winbind.so"

    this drops the need for the local posix-account.
   -And for the "auth" modify the line with pam_unix.so to read like

    "auth required pam_unix.so use_first_pass nullok"

    this gets you rid of the second password-prompt.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to