[Bug 776600] New: pam winbind settings are only set if we join a windows domain using Yast as a client
https://bugzilla.novell.com/show_bug.cgi?id=776600 https://bugzilla.novell.com/show_bug.cgi?id=776600#c0 Summary: pam winbind settings are only set if we join a windows domain using Yast as a client Classification: openSUSE Product: openSUSE 12.2 Version: RC 2 Platform: i586 OS/Version: openSUSE 12.2 Status: NEW Severity: Enhancement Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: lynn@steve-ss.com QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1190.0 Safari/537.1 SUSE/22.0.1190.0 If we are ourselves the domain controller such as with Samba4 AD, we have no way of setting pam winbind in /etc/pam.d Reproducible: Always Steps to Reproduce: 1.Install Samba4 DC 2.call the samba binary 3.edit /etc/nsswitch.conf to contain passwd: and group: to contain winbind 4.attempt to login on the DC Actual Results: We are authenticated correctly via Kerberos but we cannot login: The pam settings for winbind are not set. Expected Results: We can login. The workaround is not to use winbind on the Samba4 DC. e.g. nss-pam-ldapd works fine This is discussed in this thread: http://lists.opensuse.org/opensuse/2012-08/msg00476.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c1
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c2
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c3
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c4
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c5
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c6
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c7
Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c8
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c9
--- Comment #9 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c10
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c11
--- Comment #11 from Thorsten Kukuk
Ubuntu have it: pam-auth-update and simply choose your flavour. We don't.
Sorry, but we have exactly the same: pam-config -a --winbind is the exact equivalent to pam-auth-update from Ubuntu for this case. Only that the Ubuntu clone is much more restricted (as it can only copy PAM config files and is not able to generate them itself, so I don't understand why they had to invent the wheel again and not use the better original ;) ). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c12
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c13
David Disseldorp
So, Lars, would it make sense to allow "Use SMB Information for Linux Authentication" checkbox even without joining a domain?
This behaviour would be very much specific to a Samba 4 AD DC setup. This bug should be made a duplicate (or child feature req) of bnc#770390 IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c14
--- Comment #14 from lynn wilson
(In reply to comment #10)
Ubuntu have it: pam-auth-update and simply choose your flavour. We don't.
Sorry, but we have exactly the same:
pam-config -a --winbind is the exact equivalent to pam-auth-update from Ubuntu for this case.
Only that the Ubuntu clone is much more restricted (as it can only copy PAM config files and is not able to generate them itself, so I don't understand why they had to invent the wheel again and not use the better original ;) ).
Yes, but it means typing nonsense at the command line. I can do it, but my parents and colleagues certainly can't! With Ubuntu I get a list to choose from. Sorry, but that's what people need. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c15
--- Comment #15 from lynn wilson
(In reply to comment #12)
So, Lars, would it make sense to allow "Use SMB Information for Linux Authentication" checkbox even without joining a domain?
This behaviour would be very much specific to a Samba 4 AD DC setup. This bug should be made a duplicate (or child feature req) of bnc#770390 IMO.
How about just put an extra option for 'I'm already the DC, let me use pam winbind anyway' L x -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c16
lynn wilson
(In reply to comment #12)
So, Lars, would it make sense to allow "Use SMB Information for Linux Authentication" checkbox even without joining a domain?
This behaviour would be very much specific to a Samba 4 AD DC setup. This bug should be made a duplicate (or child feature req) of bnc#770390 IMO.
770390 refers to DNS, not PAM. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c17
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c18
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c19
David Disseldorp
Well, the required extra feature is saving the pam config, but not joining. We have to do less than we do now.
So, we may
1. offer (universal) checkbox with "Do not join" label or something 2. detect user's configuration state (Samba 4) and
a) ignore the join automatically (or based on some technical conditions) b) explicitely ask user (via popup) if he also wants to join
So, what would you prefer? To me, it looks like some variant to option 2. What should I do to properly detect user's situation?
Indeed, option 2 would be preferred. Ideally the user could select "AD Domain Controller" on the YaST Samba Server "Identity" tab, the resulting setup wizard would take the user through provisioning, DNS server setup, and later PAM configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c20
--- Comment #20 from Jiří Suchomel
Indeed, option 2 would be preferred. Ideally the user could select "AD Domain Controller" on the YaST Samba Server "Identity" tab, the resulting setup wizard would take the user through provisioning, DNS server setup, and later PAM configuration.
Well, but that is a complex solution for bug 770390, here. I thought we want to have a simple one for this bug, which would fit to YaST Samba Client module... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c21
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c22
--- Comment #22 from David Disseldorp
(In reply to comment #19)
Indeed, option 2 would be preferred. Ideally the user could select "AD Domain Controller" on the YaST Samba Server "Identity" tab, the resulting setup wizard would take the user through provisioning, DNS server setup, and later PAM configuration.
Well, but that is a complex solution for bug 770390, here.
Yes.
I thought we want to have a simple one for this bug, which would fit to YaST Samba Client module...
IMO proceeding with the implementation for 2a from comment#18 wouldn't make much sense prior to having other AD Domain Controller components (most importantly Samba) configurable via YaST. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c23
Jiří Suchomel
Indeed, option 2 would be preferred. Ideally the user could select "AD Domain Controller" on the YaST Samba Server "Identity" tab, the resulting setup wizard would take the user through provisioning, DNS server setup, and later PAM configuration.
Now, neither this one nore bug 770390 describes what needs to be done for such Samba Server update. Do you have a list of requirements anywhere? Preferably a feature request? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c24
David Disseldorp
(In reply to comment #19)
Indeed, option 2 would be preferred. Ideally the user could select "AD Domain Controller" on the YaST Samba Server "Identity" tab, the resulting setup wizard would take the user through provisioning, DNS server setup, and later PAM configuration.
Now, neither this one nore bug 770390 describes what needs to be done for such Samba Server update.
Do you have a list of requirements anywhere? Preferably a feature request?
Not yet, Samba4 is currently still in beta, hence the AD DC setup process changes regularly. An RC should be coming next month, which would be a good point to finalize the UI and back-end configuration requirements. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600 https://bugzilla.novell.com/show_bug.cgi?id=776600#c Bug 776600 depends on bug 770390, which changed state. Bug 770390 Summary: Samba 4 YaST interface feature request http://bugzilla.novell.com/show_bug.cgi?id=770390 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Status|NEW |NEEDINFO Status|NEEDINFO |RESOLVED Resolution| |INVALID -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c26
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c27
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=776600
https://bugzilla.novell.com/show_bug.cgi?id=776600#c28
--- Comment #28 from Lars Müller
participants (1)
-
bugzilla_noreply@novell.com