-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Bailey wrote: > Hello folks, > > Been beating my head with an winbind and pam just behaving oddly. I have > following > various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. > Here a > some of the issues:
If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/). > - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' > in the logs. Here's an exact snippet: > > Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: > Wrong Password, PAM error was Authentication failure (7), NT error was > NT_STATUS_WRONG_PASSWORD > > I get this w/o even entering a password. If I break out and just hit it 2 > more times it will lock the account out > as expected. > > - require_membership_of seems to be flat out ignored. Works for me. but I define it in /etc/security/pam_winbind.conf > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > use_first_pass > auth required /lib/security/$ISA/pam_deny.so I stack pam_winbind before pam_unix > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet > account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > account required /lib/security/$ISA/pam_permit.so Don't need use_first_pass > password required /lib/security/$ISA/pam_cracklib.so retry=3 > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok > md5 shadow > password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > password required /lib/security/$ISA/pam_deny.so need useauthtok and not use_first_pass here. > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session required /lib/security/$ISA/pam_winbind.so use_first_pass > require_membership_of=some_group The require-.... option is enforced in auth and not session. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt U3OgUlotANWOvyAWkLt+0mo= =M+6M -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
