[opensuse] SAMBA pam winbind config problem
Does anyone have a working /etc/pam.d config for winbind on openSUSE 12.1 they could share? Any mention of winbind in any of auth account or session either locks me out or prevents root logins. Everything else works fine. wbinfo -u, getent passwd, getent group. . . We just can't login. We are using a Samba4 DC and so are unable to get Yast to add the pam entries for us. We have however transferred the pam setup from an official Samba3.6 12.1 install we have on a client joined to the domain. Same problem. Kerberos keeps seeing the principal as DOMAINlynn even though I give DOMAIN\\lynn as my login at the cli. This was also a problem under Ubuntu LTS until we added the pam entries Here are our current files under pam.d on the Samba4 DC: common-account account requisite pam_unix2.so account required pam_krb5.so use_first_pass ignore_unknown_principals common-auth auth required pam_env.so auth sufficient pam_unix2.so auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so common-session session required pam_limits.so session required pam_unix2.so session optional pam_krb5.so session optional pam_umask.so session optional pam_systemd.so This works fine with nss-pam-ldapd for both user and group mapping and authentication. With libnss-winbind it only works for mappings. For nss-pam-ldapd we have nsswitch.conf as follows: passwd: compat ldap group: compat ldap and for nss-winbind we have: passwd: compat winbind group: compat winbind The samba-list have a copy of this. The reason I have posted here is that the pam.d winbind entries work fine with Ubuntu 12.04 LTS. Here are the Ubuntu entries: common-account account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so common-auth auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass common-session session optional pam_winbind.so Can anyone translate those to openSUSE 12.1? Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (1)
-
lynn