Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] pam ssh athentication using winbind

0 views
Skip to first unread message

John Stile

unread,
Dec 1, 2004, 1:16:44 AM12/1/04
to
Samba setup as a Member Server in native AD domain with winbind
authenticating AD users for access to shares. My understanding is that
with pam and winbind, domain users can log into the samba server via
ssh, even if they do not have a local user account? Logs shows access
granted but user unknown, so I must be missing something and need some
help.

/var/log/messages during an ssh login:
Nov 30 21:44:56 myserver pam_winbind[7349]: user 'stile' granted access
Nov 30 21:45:44 myserver sshd(pam_unix)[7349]: check pass; user unknown
Nov 30 21:45:44 myserver pam_winbind[7349]: user 'stile' granted access

Using Red Hat EL AS 3 + samba-3.0.9-1 + krb5-lib-1.3.1

/etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so

/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

/etc/samba/smb.conf
[global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.DOMAIN.COM
security = ADS
username map = /etc/samba/smbusers
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
template primary group = "Domain Users"
template homedir = /home/%U
template shell = /bin/bash
load printers = no
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 0


--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba

Sverre Johan Tøvik

unread,
Dec 1, 2004, 7:40:48 AM12/1/04
to
John Stile <jo...@stilen.com> wrote:

> Samba setup as a Member Server in native AD domain with winbind
> authenticating AD users for access to shares. My understanding is that
> with pam and winbind, domain users can log into the samba server via
> ssh, even if they do not have a local user account? Logs shows access
> granted but user unknown, so I must be missing something and need some
> help.

I might be way off here, but did you know you have to prefix usernames
with your workgroup and the winbind separator? With your config/example
this means you'd have to log on as MYREALM+stile. I'm not using
pam/winbind with ssh, but it works fine with ftp, netatalk and apache
(just implemented a little webapp using it).


Sverre

0 new messages