From: Kolya Grechukh <ngrechukh@ua.fm> To: community@altlinux.ru Subject: [Comm] winbind (maybe again) Date: Tue, 16 Dec 2003 18:33:03 +0200 Message-ID: <200312161833.03178.ngrechukh@ua.fm> (raw) [-- Attachment #1: Type: text/plain, Size: 3858 bytes --] пытаюсь настроить вход под учетной записью nt домена. дано: win2000server (админских прав нет, и не понадобились) master2.2 pam-config-1.1.3-alt1 samba3-3.0-alt46.1m (shrek'овской сборки) pam-0.75-alt18 самба как таковая уже настроена. в /etc/nsswitch.conf дописываю слово winbind. passwd: files winbind nisplus nis shadow: winbind tcb files nisplus nis group: files winbind nisplus nis раскоментировал template shell. включаю в домен путем [kolya@gns kolya]$ sudo net join -U GNS. [kolya@gns kolya]$ sudo service winbind start [kolya@gns kolya]$ sudo wbinfo -p ...есть. [kolya@gns kolya]$ sudo wbinfo -t ...есть. [kolya@gns kolya]$ sudo wbinfo --set-auth-user [kolya@gns kolya]$ sudo wbinfo -u все работает. запара вышла с настройкой pam_winbind. /me так и не понял как кошерно в понятиях альта включить pam_winbind. так и не удалось вызвать winbind напрямую из system-auth (так чтобы он проверялся для всех сервисов). соответственно, вызов winbind придется задавать для каждого сервиса отдельно. в общем, путем длительных экспериментов, получил следующее: в pam.d/login auth required /lib/security/pam_stack.so service=system-auth-winbind account required /lib/security/pam_stack.so service=system-auth-winbind password required /lib/security/pam_stack.so service=system-auth-winbind session required /lib/security/pam_stack.so service=system-auth-winbind (вместо system-auth). но после этого следующий баг: логинюсь под именем TDO\GNS с паролем домена. Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include] Dec 16 18:06:44 gns login: PAM unable to dlopen(/lib/security/system-auth-use_first_pass) Dec 16 18:06:44 gns login: PAM [dlerror: /lib/security/system-auth-use_first_pass: cannot open shared object file: No such file or directory] Dec 16 18:06:44 gns login: PAM adding faulty module: /lib/security/system-auth-use_first_pass Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include] Dec 16 18:06:44 gns login: PAM unable to dlopen(/lib/security/system-auth) Dec 16 18:06:44 gns login: PAM [dlerror: /lib/security/system-auth: cannot open shared object file: No such file or directory] Dec 16 18:06:44 gns login: PAM adding faulty module: /lib/security/system-auth Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include] Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include] Dec 16 18:06:46 gns pam_winbind[21263]: user 'TDO\GNS' granted acces Dec 16 18:06:46 gns pam_winbind[21263]: user 'TDO\GNS' granted acces Dec 16 18:06:46 gns login[21263]: unable to open session: Module is unknown Dec 16 18:06:46 gns login[21263]: pam_open_session: unable to open session визуально это выглядит как логин прошел, что-то быстро мелькнуло и опять приглашению к вводу логина. в систему не заходит. не буду описывать долгий поиск решения, скажу результат. чтобы все работало, нужно еще закомментировать следующие строчки в system-auth-winbind: auth include system-auth-use_first_pass account include system-auth password include system-auth-use_first_pass session include system-auth этого достаточно (проверено на тестовой машине с чистым мастером + та же самба.) логин в консоли работает, и домашняя папка создана. работает-то все работает, но правильный ли это путь? и почему system-auth-winbind глючный, это баг или фича? корректны ли мои исправления,не сломал ли я чего. м.б следует в system-auth-winbind написать ссылку на system-auth вместо include в виде sufficient pam_stack service=system-auth? btw: для применения аутентификации winbind к другим сервисам, в их pam тоже придется прописывать system-auth-winbind?? в аттаче конфиги ДО изменений. и вывод diff. -------- Nick S. Grechukh kolyag@mail.ru Refractory Trading House, network administrator. [-- Attachment #2: login --] [-- Type: text/plain, Size: 534 bytes --] #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so auth optional /lib/security/pam_mail.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_lastlog.so nowtmp session optional /lib/security/pam_motd.so session optional /lib/security/pam_console.so [-- Attachment #3: system-auth --] [-- Type: text/plain, Size: 473 bytes --] #%PAM-1.0 auth required /lib/security/pam_tcb.so shadow fork prefix=$2a$ count=8 nullok account required /lib/security/pam_tcb.so shadow fork password required /lib/security/pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=users retry=3 password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb session required /lib/security/pam_tcb.so session required /lib/security/pam_limits.so [-- Attachment #4: system-auth-winbind --] [-- Type: text/plain, Size: 531 bytes --] #%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_winbind.so auth include system-auth-use_first_pass account sufficient pam_winbind.so account include system-auth password sufficient pam_winbind.so password include system-auth-use_first_pass # We use pam_mkhomedir to create home dirs for incoming domain users # Note used umask, it will result in rwxr-x--x access rights session required pam_mkhomedir.so skel=/etc/skel.ru_RU.CP1251/ umask=0026 session include system-auth [-- Attachment #5: patch_pam-for-winbind --] [-- Type: text/x-diff, Size: 1744 bytes --] --- login 2003-12-16 18:13:30 +0200 +++ ../new/login 2003-12-16 18:17:07 +0200 @@ -1,11 +1,11 @@ #%PAM-1.0 auth required /lib/security/pam_securetty.so -auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_stack.so service=system-auth-winbind auth required /lib/security/pam_nologin.so auth optional /lib/security/pam_mail.so -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth-winbind +password required /lib/security/pam_stack.so service=system-auth-winbind +session required /lib/security/pam_stack.so service=system-auth-winbind session optional /lib/security/pam_lastlog.so nowtmp session optional /lib/security/pam_motd.so session optional /lib/security/pam_console.so --- system-auth-winbind 2003-12-16 18:13:10 +0200 +++ ../new/system-auth-winbind 2003-12-16 18:21:08 +0200 @@ -2,12 +2,12 @@ auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_winbind.so -auth include system-auth-use_first_pass +#auth include system-auth-use_first_pass account sufficient pam_winbind.so -account include system-auth +#account include system-auth password sufficient pam_winbind.so -password include system-auth-use_first_pass +#password include system-auth-use_first_pass # We use pam_mkhomedir to create home dirs for incoming domain users # Note used umask, it will result in rwxr-x--x access rights session required pam_mkhomedir.so skel=/etc/skel.ru_RU.CP1251/ umask=0026 -session include system-auth +#session include system-auth
next reply other threads:[~2003-12-16 16:33 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2003-12-16 16:33 Kolya Grechukh [this message] 2003-12-16 17:10 ` Kolya Grechukh
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=200312161833.03178.ngrechukh@ua.fm \ --to=ngrechukh@ua.fm \ --cc=community@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git