Technical:Auth:PamWinBind

From K12LTSP Wiki

Jump to: navigation, search

First Try at wiki see Chuck Sullivan Post of 3/6/03 on marc.theaimsgroup in ltsp-discuss..Chuck Lie bow cliebow@downeast.net:

http://marc.theaimsgroup.com/?l=ltsp-discuss&m=104673319921916&w=2

Copied in here. I am about to test on a LTSP 4.2 beta machine to determine if this works. I will update the below once I have completed the work <AngusCarr> 

List:       ltsp-discuss
Subject:    [Ltsp-discuss] ltxp and authenticatio  to win 2000-forweard
From:       "cliebow () downeast ! net" <cliebow () downeast ! net>
Date:       2003-03-03 22:46:04
[Download message RAW]

In hopes this may help someone else. Works like a charm for me.. The only
change I made was to comment out winbind separator line and add winbind
default domain=  Syntax may not be perfect but ihave it at school. Eliminates
need to put doamin name . Chuck > these are the conf files I created to get
winbind to work... >  > /etc/samba/smb.conf > # Global parameters
> global
>         log file = /var/log/samba/%m.log
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         socket options  TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         obey pam restrictions = Yes
>         wins server = ipAddress of winserver
>         encrypt passwords = yes
>         winbind uid = 10000-20000
>         passwd program = /usr/bin/passwd %u
>         template shell = /bin/bash
>         dns proxy = No
>         printing = cups
>         server string = Linux TermServer
>         password server = *
>         winbind gid = 10000-20000
>         unix password sync = yes
>         local master = No
>         template homedir = /u/%D/%U
>         workgroup = your domainName
>         security = DOMAIN
>         create mode = 700
>         winbind separator = +
>         max log size = 0
>         pam password change = Yes
>         directory mode = 700
>
> [homes]
>         comment = Home Directories
>         valid users = %D+%S
>         read only = No
>         create mask = 0664
>         directory mask = 0775
>         browseable = No
>
> This will share the users home folder on the terminal server, if you
> dont want to put the user folders on the termserv comment out the
> [homes] share.
>
> 
> ********************************************************
> /etc/nsswitch.conf add this
>
> passwd:     files winbind nisplus
> shadow:     files winbind nisplus
> group:      files winbind nisplus
>
> ********************************************************
>
> In /etc/pam.d
>
> system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_winbind.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     sufficient    /lib/security/pam_winbind.so
> account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry<code>3 type
> password    sufficient    /lib/security/pamunix.so nullok useauthtok
> md5 shadow
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
>
> ************************************************************
> login
>
> #New
> auth       required     /lib/security/pam_securetty.so
> auth       sufficient   /lib/security/pam_winbind.so
> auth       sufficient   /lib/security/pamunix.so usefirst_pass
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
>
> ************************************************************
> gdm
>
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
>
> ***********************************************************************
> other
> #%PAM-1.0
> auth     required       /lib/security/pam_deny.so
> account  required       /lib/security/pam_deny.so
> password required       /lib/security/pam_deny.so
> session  required       /lib/security/pam_deny.so
>
> ***********************************************************************
> samba
> auth       required     pam_nologin.so
> auth       required     pam_stack.so service=system-auth
> auth       required     /lib/security/pam_winbind.so
> account    required     /lib/security/pam_winbind.so
> account    required     pam_stack.so service=system-auth
> session    required     /lib/security/pam_mkhomedir.so
> skel=/etc/samba/skel umask 0022
> session    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
>
> ***********************************************************************
>
> Make sure that samba and winbind are off while editing these files.  Add
> whatever lines to the pam.d files to make them look like these.  delete
> the file in /etc/samba called secrets.tdb.  After adding, start samba
> and winbind.  I found that restarting the server helped getting PAM to
> work after editing the files.  After the reboot..
>
> Add your server to the win2k domain...
>
> smbpasswd -j DOMAIN -r PDC -U administrator
>
> test your configuration.  wbinfo -u , will show you all domain users
> wbinfo -g will show you all domain groups
> getenv passwd , will show you the updated password file.
>
> Note in the smb.conf file you have to specify the winbind separator I
> used a +, that way it does not get confuesed with  from windows and /
> from unix.  You must use this format to log into the termserv clients.
>
> DOMAIN+windowsUsername
>
> the domain must be in caps, and you must include the + sign.
>
> **Note: be Very carefull when editing the PAM files, if you mess them up
> you may not be able to log into the terminal server.
>
> Hope this helps
>
> Chuck Sullivan
> CDBird.Net
>
>
> On Fri, 2003-02-28 at 12:38, cliebow@downeast.net wrote:
> > On Fri, 28 Feb 2003, you wrote:
> > David: I went to galeon after a little time with phoenix. its gracious with
> > citrix and has never gone crackerdog on me. Any thoughts on authentication
> > I been beating my head against the wALL TRYING TO AUTHENTICATE TO W2000.
> > At this point i believe winbind does authenticate but I get a gdm-binary
> > authenticaton error. I played with /etv/pam.d/gdm but the defaults all point to
> > system auth. Can't see why? I know I'd just as soon go all linux but this is
> > what i got for now. Chuck
Retrieved from "http://k12ltsp.org/mediawiki/index.php/Technical:Auth:PamWinBind"
Personal tools