[opensuse-factory] winbind installaltion PAM problems
Hi everyone Is it intended that installing winbind with zypper adjust the PAM configuration accordingly? Mine hasn't. It's a real pain to do PAM stuff manually:-( Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Aug 03, 2012 at 04:46:42PM +0200, steve wrote:
Is it intended that installing winbind with zypper adjust the PAM configuration accordingly?
No. How should it work? How do you guess the particular configuration and how do you join without knowing the credentials?
Mine hasn't. It's a real pain to do PAM stuff manually:-(
That's why there is the YaST module to join to a domain. Thanks, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, Aug 03, 2012 at 04:58:19PM +0200, Lars Müller wrote:
On Fri, Aug 03, 2012 at 04:46:42PM +0200, steve wrote:
Is it intended that installing winbind with zypper adjust the PAM configuration accordingly?
No.
How should it work?
How do you guess the particular configuration and how do you join without knowing the credentials?
Mine hasn't. It's a real pain to do PAM stuff manually:-(
That's why there is the YaST module to join to a domain.
For just hooking up PAM snippets, "pam-config" can be used. However this will not configure domains or workgroups. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/08/12 16:58, Lars Müller wrote:
On Fri, Aug 03, 2012 at 04:46:42PM +0200, steve wrote:
Is it intended that installing winbind with zypper adjust the PAM configuration accordingly?
No.
How should it work?
The method is this: /etc/pam.d/common-auth Add this line before pam_unix.so: auth sufficient pam_winbind.so Also add the option use_first_pass to the pam_unix.so line /etc/pam.d/common-account Add this line before pam_unix.so: account sufficient pam_winbind.so /etc/pam.d/common-session Add these lines before any other session line: session required pam_mkhomedir.so session required pam_winbind.so
How do you guess the particular configuration and how do you join without knowing the credentials?
No guessing. By the time it comes to installing winbind, you have already set up DNS and Kerberos.
That's why there is the YaST module to join to a domain.
Does using the Yast module set up Pam winbind? Thanks L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 03 Aug 2012 19:01:54 +0200
lynn
That's why there is the YaST module to join to a domain.
Does using the Yast module set up Pam winbind?
Yes, see the "Also Use SMB Information for Linux Authentication" check-box. Cheers, David -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/08/12 19:13, David Disseldorp wrote:
On Fri, 03 Aug 2012 19:01:54 +0200 lynn
wrote: That's why there is the YaST module to join to a domain.
Does using the Yast module set up Pam winbind?
Yes, see the "Also Use SMB Information for Linux Authentication" check-box.
Cheers, David
Hi Yes. Thanks. Found it. The main problem with it is that it overwrites/adds deprecated values to whatever is in smb.conf, worse, it starts winbind with it's own settings. You then have to stop winbind, leave the domain, delete all the tdb files, put smb.conf back as you want it, rejoin using net ads join and then restart winbind. OK, now I've got my PAM settings but that was the only way I could get it to work. deprecated (which take only the gid range): idmap gid lownumber-high number idmap gid another lownumber-another high number current: idmap config ADOMAIN : backend = ad idmap config ADOMAIN : range = lownumber-high number Cheers, Steve -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
David Disseldorp
-
Lars Müller
-
lynn
-
Marcus Meissner
-
steve