Let me preface this by saying I'm clueless when it comes to PAM, and 
mostly clueless when it comes to Samba.

I've got a university lab full of computers dual-booting between W2K and 
Debian Woody. The W2K side authenticates users off our campus domain(s). 
We have a domain for faculty/staff (ACU) and one for students 
(ACU-ACADEMIC). Recently our Windows-oriented administrator implemented 
Active Directory across campus, but I'm still able to add the Windows 
machines to the ACU and ACU-ACADEMIC domains like I always have.

Last year I gave up on trying to get the Debian side to authenticate off 
the NT domains. This year I'm considerably closer (due to advances in 
Samba, I believe).

I've got a single workstation I'm experimenting with; it's identical 
(more or less) to the other machines in the lab. This machine is named 
zl104-sp.

As part of last year's image, I had installed samba-client and smbfs 
(and had samba enabled in the kernel) so that I could map drives (ie 
smbmount //servermachine/sharename /netsharemountpoint -o 
username=studentsname).

This year, the only thing I added (I think) that's related is winbindd. 
I made some changes to /etc/samba/smb.conf as mentioned in "man winbindd".

I changed the "passwd:", "group:", and "shadow:" lines in 
/etc/nsswitch.conf from "compat" to "files windbind".

I also made some changes to the login file in /etc/pam.d, but I'm 
*totally* clueless about these changes. I've tried off and on over the 
past two years to read documentation on PAM, but I just don't get it. I 
think I understand that the different files under /etc/pam.d correspond 
to different "services"; for example, "login" specifies what 
authentication procedure applies to the initial logging on of a user, 
and "passwd" specifies the procedure when someone uses the "passwd" 
program to change their password. But I don't get what "auth" vs 
"session" vs "optional" vs "requisite" is all about. So I suspect this 
is where my failure is coming from.

The changes I've made to /etc/pam.d/login was to add the line "auth 
sufficient /lib/security/pam_windbind.so" between the "auth required 
pam_nologin.so" and "auth required pam_env.so" lines, and to comment out 
the line "account required pam_unix.so" and replace it with "account 
required /lib/security/pam_winbind.so".

Now whenever I try to do a normal login to the local box, I get asked 
for my password twice. I don't have to get it right the first time, but 
I must get it right the second time.

When I try to add the machine to the domain as per the man page, with 
this command:

        sudo smbpasswd -j ACU -r campus.acu.edu -U ACU\westk

and enter my ACU NT Domain password for westk, I get the error:

        Error connecting to campus.acu.edu - NT_STATUS_LOGON_FAILURE
        Unable to joing domain ACU


However, I can run the command "getent passwd" and see the list of ACU 
domain users. The "getent group" command also returns a list of ACU 
Domain groups, albeit it takes several seconds.

Anyone have any clue as to where to go from here? Getting this working 
would be a major plus in making Linux more visible to the students here.

Thanks!

Kent


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to