Let me preface this by saying I'm clueless when it comes to PAM, and mostly clueless when it comes to Samba.
I've got a university lab full of computers dual-booting between W2K and Debian Woody. The W2K side authenticates users off our campus domain(s). We have a domain for faculty/staff (ACU) and one for students (ACU-ACADEMIC). Recently our Windows-oriented administrator implemented Active Directory across campus, but I'm still able to add the Windows machines to the ACU and ACU-ACADEMIC domains like I always have. Last year I gave up on trying to get the Debian side to authenticate off the NT domains. This year I'm considerably closer (due to advances in Samba, I believe). I've got a single workstation I'm experimenting with; it's identical (more or less) to the other machines in the lab. This machine is named zl104-sp. As part of last year's image, I had installed samba-client and smbfs (and had samba enabled in the kernel) so that I could map drives (ie smbmount //servermachine/sharename /netsharemountpoint -o username=studentsname). This year, the only thing I added (I think) that's related is winbindd. I made some changes to /etc/samba/smb.conf as mentioned in "man winbindd". I changed the "passwd:", "group:", and "shadow:" lines in /etc/nsswitch.conf from "compat" to "files windbind". I also made some changes to the login file in /etc/pam.d, but I'm *totally* clueless about these changes. I've tried off and on over the past two years to read documentation on PAM, but I just don't get it. I think I understand that the different files under /etc/pam.d correspond to different "services"; for example, "login" specifies what authentication procedure applies to the initial logging on of a user, and "passwd" specifies the procedure when someone uses the "passwd" program to change their password. But I don't get what "auth" vs "session" vs "optional" vs "requisite" is all about. So I suspect this is where my failure is coming from. The changes I've made to /etc/pam.d/login was to add the line "auth sufficient /lib/security/pam_windbind.so" between the "auth required pam_nologin.so" and "auth required pam_env.so" lines, and to comment out the line "account required pam_unix.so" and replace it with "account required /lib/security/pam_winbind.so". Now whenever I try to do a normal login to the local box, I get asked for my password twice. I don't have to get it right the first time, but I must get it right the second time. When I try to add the machine to the domain as per the man page, with this command: sudo smbpasswd -j ACU -r campus.acu.edu -U ACU\westk and enter my ACU NT Domain password for westk, I get the error: Error connecting to campus.acu.edu - NT_STATUS_LOGON_FAILURE Unable to joing domain ACU However, I can run the command "getent passwd" and see the list of ACU domain users. The "getent group" command also returns a list of ACU Domain groups, albeit it takes several seconds. Anyone have any clue as to where to go from here? Getting this working would be a major plus in making Linux more visible to the students here. Thanks! Kent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]