One step closer... Indeed I found a configuration parameter in sshd_conf like this
# Change to no to disable PAM authentication # ChallengeResponseAuthentication yes which I uncommnted and restarted sshd and winbind But the result is the same ... I've tried to log as a domain user even from the console (so avoiding ssh) and the result (access denied) is the same. My pam.conf for console login : login auth sufficient pam_skey.so login auth sufficient pam_opie.so no_fake_prompts #this line is added login auth sufficient /usr/local/lib/pam_winbind.so #login auth requisite pam_opieaccess.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass #login auth sufficient pam_krb5.so try_first_pass login auth required pam_unix.so try_first_pass login account required pam_unix.so #this line is added login account sufficient /usr/local/lib/pam_winbind.so login password required pam_permit.so login session required pam_permit.so Thomas On Thursday 16 June 2005 14:12, you wrote: > I don't know Freebsd but on Suse there is a line in /etc/ssh/sshd_config > that says "UsePAM yes" which has to be uncommented. Also make sure to > restart sshd and winbind. > > romeo > > On Thu, 2005-06-16 at 13:41 +0200, Thomas Fazekas wrote: > > After reading the related chapter in the Samba-3 HOWTO document > > I've tried to put the AD authentication in place in our network > > on two systems and I got stuck in exactly the same place. > > Here are the software configs I was using : > > > > Sys 1 > > FreeBSD 4.11 release > > sshd version OpenSSH_3.5p1 FreeBSD-20030924 > > Samba Version 3.0.10 > > > > Sys 2 > > FreeBSD 5.4-RELEASE FreeBSD amd64 > > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004 > > Samba Version 3.0.12 > > > > I will detail what I did on sys1 (as this one is more urgent and > > anyway I did the same things on sys2 with exactly the same > > outcome) > > > > My /etc/smb.conf > > [global] > > workgroup = OURDOMAIN > > # strangely, it doesn't like the realm setting > > #realm = MISSIONCRITICALIT.COM > > password server = PASSSWD_SERV_IP > > security = ADS > > encrypt passwords = yes > > server string = My Samba Server > > > > # separate domain and username with '\', like DOMAIN\username > > winbind separator = \\ > > # use uids from 10000 to 20000 for domain users > > idmap uid = 10000-20000 > > # use gids from 10000 to 20000 for domain groups > > idmap gid = 10000-20000 > > # allow enumeration of winbind users and groups > > winbind enum users = yes > > winbind enum groups = yes > > # give winbind users a real shell (only needed if they have telnet > > access) template homedir = /home/winnt/%D%U > > template shell = /usr/local/bin/bash > > > > > > Then I did > > sudo net join -UAdministrator > > After providing the right password the answer was : > > Joined domain OURDOMAIN. > > > > Then I modified the /usr/compat/linux/etc/nsswitch.conf file > > to look like the following : > > passwd: files winbind > > shadow: files > > group: files winbind > > > > After starting winbindd with(-d 3 -i) I can now querry the > > user and groups with : > > wbinfo -u > > wbinfo -g > > > > Both lists seem to be in concordance with what we got on our W2K PDC. > > > > However if I do > > /usr/compat/linux/usr/bin/getent passwd > > I get only the local password file content, nothing related to the > > domain... Accordint to the Samba3 HOWTO this should return me info's for > > users in the domain... > > What am I doing wrong ? > > > > Furthermore I went through this ordeal to allow domain users to > > authenticate with ssh. So I've modified the the /etc/pam.conf file like > > this (settings for ssh) : > > sshd auth sufficient pam_skey.so > > sshd auth sufficient pam_opie.so > > no_fake_prompts #this line is added by me > > sshd auth sufficient /usr/local/lib/pam_winbind.so > > #sshd auth requisite pam_opieaccess.so > > #sshd auth sufficient pam_kerberosIV.so > > try_first_pass #sshd auth sufficient pam_krb5.so > > try_first_pass sshd auth required pam_unix.so > > try_first_pass sshd account required pam_unix.so > > #this line is added by me > > sshd account sufficient /usr/local/lib/pam_winbind.so > > sshd password required pam_permit.so > > sshd session required pam_permit.so > > > > Now when I try to log in as a domain user via ssh the access is refused > > and I got this in /var/log/auth.log > > sshd[1972]: Illegal user usr1 from 10.10.10.201 > > sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201 port > > 55268 ssh2 > > > > And I get no outup at all from winbindd, like the sshd wouldn't even > > bother to try to authenticate via winbindd... > > > > Can anybody help ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
