You are not logged in.
I've followed instructions regarding integration with Active Directory on wiki and successfully joined to the domain. wbinfo gives the list of users and groups and everything works as expected. But I've stuck with PAM.
The way I see it, almost every other pam rule points (includes) system-auth rules. Can I add pam_winbind.so to the system-auth like this and thus automatically solve the problem with ssh, su, lightdm rules etc... That was the way I used to solve this under Fedora once...
cat system-auth
#%PAM-1.0auth required pam_env.so
auth required pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.soaccount required pam_unix.so
account sufficient pam_winbind.so use_first_pass use_authtok
account optional pam_permit.so
account required pam_time.sopassword required pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_winbind.so use_first_pass use_authtok
password optional pam_permit.sosession required pam_limits.so
session required pam_env.so
session required pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session optional pam_permit.so
It locks me out of the machine when I try this - what have I done wrong ?
Last edited by combuster (2013-04-28 20:45:46)
Offline
Maybe because both pam_unix.so and pam_winbind.so are 'required' in auth?
Last edited by matone (2013-04-27 16:40:17)
Offline
Thnx matone, so it should read:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
Everything else should remain the same ?
I'll try this also, I know I shouldn't mess with pam rules if I don't fully understand them (need to read more about this), but I need a quick solution just for now.
Offline
you're welcome.
I think it should work but if not check the logs.
If you get stuck we can take a deeper look .
Offline
Made it...
Yes, it's possible to change only system-auth and those settings get applied to other pam rules that includes system-auth (pure genius huh ). But relations between pam_winbind.so and pam_unix.so must be exactly the ones as described in the wiki. So here comes the config:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
account sufficient pam_unix.so
account sufficient pam_winbind.so try_first_pass use_authtok
account optional pam_permit.so
account required pam_time.so
password sufficient pam_unix.so
password sufficient pam_winbind.so try_first_pass use_authtok
password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so
session required pam_env.so
session optional pam_permit.so
This is a lot easier to maintain (one config instead of many) but are there any downsides ?
Offline
I don't see any drawbacks if what you want is allow the remote users to authenticate against all your services (ssh, login, ...)
glad you solved
Offline
Yes I need to authenticate as AD user to ssh and have a local access from lightdm, tty etc...
Thank you very much for your help matone !
Offline