Join Linux to Active Directory With Winbind - Page 2

By Carla Schroder | Posted May 3, 2005
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

The use_first_pass argument tells PAM to re-use the previously entered password. This works only for auth and password modules.

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 is a slick little PAM feature that creates home directories for users on the fly.

This does the same thing on Red Hat:


#/etc/pam.d/login
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required      /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session    optional     /lib/security/pam_console.so
What if you want to authenticate SSH logins via PAM? Do this in /etc/pam.d/ssh:

auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so
auth       required     /lib/security/pam_pwdb.so use_first_pass
account    sufficient   /lib/security/pam_unix.so
account    required    /lib/security/ pam_winbind.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_winbind.so
password   required     /lib/security/pam_unix.so
password   required     /lib/security/pam_winbind.so

How to configure other services? As a general rule, stick your pam_winbind.so module next to any existing line that references a standard Linux auth, account, session, or password module. I don't promise that this will always work, but it's a good starting point. Or you can study the PAM documentation. Or wait for my detailed PAM howto.

Make sure that you do not have more than one account that has UID=0 in the password database. If there are two accounts in the passdb backend that have the same UID, winbind will break.

Now you can restart smbd and windbindd and try logging in from a Linux workstation. If you run into trouble look for help in Resources. The Samba mail list archives contain a wealth of excellent information.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter