Ok wow, Looks like the likewise solution is exactly what I've been looking for, as I've been developing an internal solution that was basically a stripped down samba that wouldn't conflict with any other existing samba installs.
FYI, I threw my group membership settings in /etc/security/pam_winbind.conf with the following format: [global] require_membership_of=GROUP1 require_membership_of=GROUP2 and this worked just fine .. -----Original Message----- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 6:53 AM To: Glenn Bailey Cc: [email protected] Subject: Re: [Samba] winbindd behaving oddly -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Bailey wrote: > Hello folks, > > Been beating my head with an winbind and pam just behaving oddly. I > have following various HOW-TO's, wiki's, and docs, and just can't seem > to get past a wall. Here a some of the issues: If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/). > - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' > in the logs. Here's an exact snippet: > > Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request > failed: Wrong Password, PAM error was Authentication failure (7), NT > error was NT_STATUS_WRONG_PASSWORD > > I get this w/o even entering a password. If I break out and just hit > it 2 more times it will lock the account out as expected. > > - require_membership_of seems to be flat out ignored. Works for me. but I define it in /etc/security/pam_winbind.conf > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > use_first_pass > auth required /lib/security/$ISA/pam_deny.so I stack pam_winbind before pam_unix > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet > account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > account required /lib/security/$ISA/pam_permit.so Don't need use_first_pass > password required /lib/security/$ISA/pam_cracklib.so retry=3 > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok > md5 shadow > password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass > password required /lib/security/$ISA/pam_deny.so need useauthtok and not use_first_pass here. > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session required /lib/security/$ISA/pam_winbind.so use_first_pass > require_membership_of=some_group The require-.... option is enforced in auth and not session. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt U3OgUlotANWOvyAWkLt+0mo= =M+6M -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
