Update: I've come up with a not-so-elegant solution to my problem.
In case there is something in my pam.conf that doesn't like seeing "johndoe:*LK*:::::::" in /etc/shadow, I've changed the "*LK*" to a random 14-character string for all users and disabled password aging. That way, it'd be nearly impossible for them to guess their SunRay server password and force them to use their AD domain password. Ray -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Raymond Sent: Tuesday, February 07, 2006 3:29 PM To: [email protected] Subject: [SunRay-Users] pam.conf with winbind support I've got srss2.0 running on Solaris 9, and I'd like to have it authenticate to a Windows Active Directory domain. I have Samba 3.0.21b installed along with some other software to make the winbind solution work. I'd like to make it so that the users can only log in using their AD domain password. To do this, I do a 'passwd -l' to lock their SunRay accounts and have my nsswitch.conf set up as: passwd: files winbind group: files winbind And my pam.conf has the following: # pam_sunray.so added to dtlogin-SunRay by SunRay Server Software dtlogin-SunRay auth sufficient pam_winbind.so dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay auth required pam_unix.so.1 try_first_pass # # pam_sunray.so added to dtsession-SunRay by SunRay Server Software dtsession-SunRay auth sufficient pam_winbind.so try_first_pass dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay auth required pam_unix.so.1 try_first_pass When the user accounts aren't locked, they can log in just fine with either their SunRay server password or AD domain password. However, when I lock their accounts, they cannot log in with their AD password. When they try to log in using the correct AD password, I see the following message on the console: Feb 7 15:02:04 sunray01 pam_winbind[1678]: user 'johndoe' granted access But in reality, the login screen goes back to the username prompt. It keeps doing this no matter how many times the user tries entering a correct username/password. Does anyone know what I'm missing in my pam.conf to make this work? Or maybe it's not supposed to work if I lock their account? The goal was to make life easier on the users (and me) where they just have to memorize their AD password. I had password aging enabled on their SunRay accounts to make them expire every 90 days. However, there would always be some users who didn't do this and required sysadmin help to reset their passwords. With the winbind solution, I wouldn't have to worry so much about password expiration since the users log into their Windows boxes everyday and would change their AD passwords before they expire. Thanks, Ray _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
