RE: [Samba] winbindd behaving oddly
Ok wow, Looks like the likewise solution is exactly what I've been looking for, as I've been developing an internal solution that was basically a stripped down samba that wouldn't conflict with any other existing samba installs. FYI, I threw my group membership settings in /etc/security/pam_winbind.conf with the following format: [global] require_membership_of=GROUP1 require_membership_of=GROUP2 and this worked just fine .. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 6:53 AM To: Glenn Bailey Cc: samba@lists.samba.org Subject: Re: [Samba] winbindd behaving oddly -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glenn Bailey wrote: Hello folks, Been beating my head with an winbind and pam just behaving oddly. I have following various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a some of the issues: If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/). - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's an exact snippet: Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out as expected. - require_membership_of seems to be flat out ignored. Works for me. but I define it in /etc/security/pam_winbind.conf authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass authrequired /lib/security/$ISA/pam_deny.so I stack pam_winbind before pam_unix account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass account required /lib/security/$ISA/pam_permit.so Don't need use_first_pass passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass passwordrequired /lib/security/$ISA/pam_deny.so need useauthtok and not use_first_pass here. session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group The require- option is enforced in auth and not session. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt U3OgUlotANWOvyAWkLt+0mo= =M+6M -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd behaving oddly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glenn Bailey wrote: Ok wow, Looks like the likewise solution is exactly what I've been looking for, as I've been developing an internal solution that was basically a stripped down samba that wouldn't conflict with any other existing samba installs. Cool. Glad it helped. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIoFhIIR7qMdg1EfYRAle6AKDjVqNE4S+oiKM1RU5UqWpjqVFOzACg1yTN snCBv8eMRTSkfMc8n9Ci0H4= =HJWG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd behaving oddly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glenn Bailey wrote: Hello folks, Been beating my head with an winbind and pam just behaving oddly. I have following various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a some of the issues: If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/). - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's an exact snippet: Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out as expected. - require_membership_of seems to be flat out ignored. Works for me. but I define it in /etc/security/pam_winbind.conf authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass authrequired /lib/security/$ISA/pam_deny.so I stack pam_winbind before pam_unix account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass account required /lib/security/$ISA/pam_permit.so Don't need use_first_pass passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass passwordrequired /lib/security/$ISA/pam_deny.so need useauthtok and not use_first_pass here. session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group The require- option is enforced in auth and not session. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt U3OgUlotANWOvyAWkLt+0mo= =M+6M -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd behaving oddly
Hello folks, Been beating my head with an winbind and pam just behaving oddly. I have following various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a some of the issues: - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's an exact snippet: Aug 6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out as expected. - require_membership_of seems to be flat out ignored. it will work if I have one group, and put it in the 'auth' section of the system-auth file but I have multiple groups. If I put mutiple groups under the 'auth' section it will try to authenticate for each group and lock the account out if the password is typed a single time. Putting this in the 'session' section it is flat out ignored. Here's my system-auth: authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass account required /lib/security/$ISA/pam_permit.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group glenn @ terremark worldwide -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba