[Samba] winbindd behaving oddly

Wed, 06 Aug 2008 16:57:39 -0700 

Hello folks,

Been beating my head with an winbind and pam just behaving oddly. I have 
following
various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. 
Here a
some of the issues:

- the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the 
logs. Here's
an exact snippet:

Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: 
Wrong Password, PAM error was Authentication failure (7), NT error was 
NT_STATUS_WRONG_PASSWORD

I get this w/o even entering a password. If I break out and just hit it 2 more 
times it will lock the account out
as expected.

- require_membership_of seems to be flat out ignored. it will work if I have 
one group, and put it in
the 'auth' section of the system-auth file but I have multiple groups. If I put 
mutiple groups under the
'auth' section it will try to authenticate for each group and lock the account 
out if the password is
typed a single time. Putting this in the 'session' section it is flat out 
ignored. Here's my system-auth:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
account     required      /lib/security/$ISA/pam_permit.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 
shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_winbind.so use_first_pass 
require_membership_of=some_group

glenn @ terremark worldwide
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to