Samba, PAM, Authentication off an NT Domain
Let me preface this by saying I'm clueless when it comes to PAM, and
mostly clueless when it comes to Samba.
I've got a university lab full of computers dual-booting between W2K and
Debian Woody. The W2K side authenticates users off our campus domain(s).
We have a domain for faculty/staff (ACU) and one for students
(ACU-ACADEMIC). Recently our Windows-oriented administrator implemented
Active Directory across campus, but I'm still able to add the Windows
machines to the ACU and ACU-ACADEMIC domains like I always have.
Last year I gave up on trying to get the Debian side to authenticate off
the NT domains. This year I'm considerably closer (due to advances in
Samba, I believe).
I've got a single workstation I'm experimenting with; it's identical
(more or less) to the other machines in the lab. This machine is named
zl104-sp.
As part of last year's image, I had installed samba-client and smbfs
(and had samba enabled in the kernel) so that I could map drives (ie
smbmount //servermachine/sharename /netsharemountpoint -o
username=studentsname).
This year, the only thing I added (I think) that's related is winbindd.
I made some changes to /etc/samba/smb.conf as mentioned in "man winbindd".
I changed the "passwd:", "group:", and "shadow:" lines in
/etc/nsswitch.conf from "compat" to "files windbind".
I also made some changes to the login file in /etc/pam.d, but I'm
*totally* clueless about these changes. I've tried off and on over the
past two years to read documentation on PAM, but I just don't get it. I
think I understand that the different files under /etc/pam.d correspond
to different "services"; for example, "login" specifies what
authentication procedure applies to the initial logging on of a user,
and "passwd" specifies the procedure when someone uses the "passwd"
program to change their password. But I don't get what "auth" vs
"session" vs "optional" vs "requisite" is all about. So I suspect this
is where my failure is coming from.
The changes I've made to /etc/pam.d/login was to add the line "auth
sufficient /lib/security/pam_windbind.so" between the "auth required
pam_nologin.so" and "auth required pam_env.so" lines, and to comment out
the line "account required pam_unix.so" and replace it with "account
required /lib/security/pam_winbind.so".
Now whenever I try to do a normal login to the local box, I get asked
for my password twice. I don't have to get it right the first time, but
I must get it right the second time.
When I try to add the machine to the domain as per the man page, with
this command:
sudo smbpasswd -j ACU -r campus.acu.edu -U ACU\westk
and enter my ACU NT Domain password for westk, I get the error:
Error connecting to campus.acu.edu - NT_STATUS_LOGON_FAILURE
Unable to joing domain ACU
However, I can run the command "getent passwd" and see the list of ACU
domain users. The "getent group" command also returns a list of ACU
Domain groups, albeit it takes several seconds.
Anyone have any clue as to where to go from here? Getting this working
would be a major plus in making Linux more visible to the students here.
Thanks!
Kent
Reply to: