On 03/08/12 16:58, Lars Müller wrote:

On Fri, Aug 03, 2012 at 04:46:42PM +0200, steve wrote:

...

Is it intended that installing winbind with zypper adjust the PAM configuration accordingly?

No.

How should it work?

The method is this: /etc/pam.d/common-auth Add this line before pam_unix.so: auth sufficient pam_winbind.so Also add the option use_first_pass to the pam_unix.so line /etc/pam.d/common-account Add this line before pam_unix.so: account sufficient pam_winbind.so /etc/pam.d/common-session Add these lines before any other session line: session required pam_mkhomedir.so session required pam_winbind.so

How do you guess the particular configuration and how do you join without knowing the credentials?

No guessing. By the time it comes to installing winbind, you have already set up DNS and Kerberos.

That's why there is the YaST module to join to a domain.

Does using the Yast module set up Pam winbind? Thanks L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 03/08/12 19:13, David Disseldorp wrote:

On Fri, 03 Aug 2012 19:01:54 +0200 lynn wrote:

...

...

That's why there is the YaST module to join to a domain.

Does using the Yast module set up Pam winbind?

Yes, see the "Also Use SMB Information for Linux Authentication" check-box.

Cheers, David

Hi Yes. Thanks. Found it. The main problem with it is that it overwrites/adds deprecated values to whatever is in smb.conf, worse, it starts winbind with it's own settings. You then have to stop winbind, leave the domain, delete all the tdb files, put smb.conf back as you want it, rejoin using net ads join and then restart winbind. OK, now I've got my PAM settings but that was the only way I could get it to work. deprecated (which take only the gid range): idmap gid lownumber-high number idmap gid another lownumber-another high number current: idmap config ADOMAIN : backend = ad idmap config ADOMAIN : range = lownumber-high number Cheers, Steve -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org