Correct configuration of pam_winbind.so for login using AD accounts

Brian E. Conklin bconklin at masongeneral.com
Wed Nov 23 18:17:46 GMT 2005 

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org 
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Jim Hatfield
> Sent: Wednesday, November 23, 2005 8:33 AM
> To: freebsd-questions at freebsd.org
> Subject: Correct configuration of pam_winbind.so for login 
> using AD accounts
> 
> 
> I'm using a newly-installed FBSD 6 system to experiment with
> Single Sign-On to an Active Directory network.
> 
> Samba is installed, the machine is joined to the domain, winbind
> seems to work fine, wbinfo -u lets me enumerate users OK.
> 
> I'm trying to work out how to edit the files in /etc/pam.d to get
> pam_winbind to let me log on to the console using an AD account.
> Most of the Samba docs seems to be Linux-specific and the sample
> pam files don't match the ones in the FBSD 6 system.

Take a look at http://web.irtnog.org/howtos/freebsd/winbind

> 
> What I did was to edit /etc/pam.d/login:
> 
> add "auth sufficient pam_winbind.so" as the 
> penultimate line of the auth section, and the same
> in the account section.
> 
> If I try to log in as an AD user on the console I get this in
> /var/log/messages:
> 
> >Nov 23 15:30:36 speyburn pam_winbind[1330]: user 
> 'INTERNAL+jhatfield' granted access
> >Nov 23 15:30:36 speyburn pam_winbind[1330]: user 
> 'INTERNAL+jhatfield' granted access
> >Nov 23 15:30:36 speyburn winbindd[1324]: [2005/11/23 
> 15:30:36, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
> >Nov 23 15:30:36 speyburn winbindd[1324]:   rpc_pipe_bind failed
> >Nov 23 15:30:37 speyburn winbindd[1324]: [2005/11/23 
> 15:30:37, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
> >Nov 23 15:30:37 speyburn winbindd[1324]:   rpc_pipe_bind failed
> >Nov 23 15:30:37 speyburn login[1331]: 
> setlogin(INTERNAL+jhatfield): Invalid argument - exiting
> 
> So I'm close but not there yet.
> 
> As an aside, I'm confused as to the difference between what
> pam_winbind offers and what nss_winbind offers - I would have thought
> either of them would be adequate to provide login access.
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> 
=================================== 

Mason General Hospital 
901 Mt. View Drive 
PO Box 1668 
Shelton, WA 98584 
http://www.masongeneral.com 
(360) 426-1611 
=================================== 
 
This message is intended for the sole use of the individual and entity 
to whom it is addressed and may contain information that is privileged, 
confidential and exempt from disclosure under applicable law. If you 
are not the addressee nor authorized to receive for the addressee, you 
are hereby notified that you may not use, copy, disclose or distribute 
to anyone this message or any information contained in the message. If 
you have received this message in error, please immediately notify the 
sender and delete the message. 
 
Replying to this message constitutes consent to electronic monitoring
of this message. 
 
Thank you.

More information about the freebsd-questions mailing list