From: Kolya Grechukh <ngrechukh@ua.fm>
To: community@altlinux.ru
Subject: [Comm] winbind (maybe again)
Date: Tue, 16 Dec 2003 18:33:03 +0200
Message-ID: <200312161833.03178.ngrechukh@ua.fm> (raw)
[-- Attachment #1: Type: text/plain, Size: 3858 bytes --]
пытаюсь настроить вход под учетной записью nt домена.
дано:
win2000server (админских прав нет, и не понадобились)
master2.2
pam-config-1.1.3-alt1
samba3-3.0-alt46.1m (shrek'овской сборки)
pam-0.75-alt18
самба как таковая уже настроена. в /etc/nsswitch.conf дописываю слово winbind.
passwd: files winbind nisplus nis
shadow: winbind tcb files nisplus nis
group: files winbind nisplus nis
раскоментировал template shell.
включаю в домен путем
[kolya@gns kolya]$ sudo net join -U GNS.
[kolya@gns kolya]$ sudo service winbind start
[kolya@gns kolya]$ sudo wbinfo -p
...есть.
[kolya@gns kolya]$ sudo wbinfo -t
...есть.
[kolya@gns kolya]$ sudo wbinfo --set-auth-user
[kolya@gns kolya]$ sudo wbinfo -u
все работает.
запара вышла с настройкой pam_winbind. /me так и не понял как кошерно в
понятиях альта включить pam_winbind.
так и не удалось вызвать winbind напрямую из system-auth (так чтобы он
проверялся для всех сервисов). соответственно, вызов winbind придется
задавать для каждого сервиса отдельно.
в общем, путем длительных экспериментов, получил следующее:
в pam.d/login
auth required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind
password required /lib/security/pam_stack.so service=system-auth-winbind
session required /lib/security/pam_stack.so service=system-auth-winbind
(вместо system-auth).
но после этого следующий баг:
логинюсь под именем TDO\GNS с паролем домена.
Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include]
Dec 16 18:06:44 gns login: PAM unable to
dlopen(/lib/security/system-auth-use_first_pass)
Dec 16 18:06:44 gns login: PAM [dlerror:
/lib/security/system-auth-use_first_pass: cannot open shared object file: No
such file or directory]
Dec 16 18:06:44 gns login: PAM adding faulty module:
/lib/security/system-auth-use_first_pass
Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include]
Dec 16 18:06:44 gns login: PAM unable to dlopen(/lib/security/system-auth)
Dec 16 18:06:44 gns login: PAM [dlerror: /lib/security/system-auth: cannot
open shared object file: No such file or directory]
Dec 16 18:06:44 gns login: PAM adding faulty module: /lib/security/system-auth
Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include]
Dec 16 18:06:44 gns login: PAM pam_parse: expecting return value; [...include]
Dec 16 18:06:46 gns pam_winbind[21263]: user 'TDO\GNS' granted acces
Dec 16 18:06:46 gns pam_winbind[21263]: user 'TDO\GNS' granted acces
Dec 16 18:06:46 gns login[21263]: unable to open session: Module is unknown
Dec 16 18:06:46 gns login[21263]: pam_open_session: unable to open session
визуально это выглядит как логин прошел, что-то быстро мелькнуло и опять
приглашению к вводу логина. в систему не заходит. не буду описывать долгий
поиск решения, скажу результат. чтобы все работало, нужно еще
закомментировать следующие строчки в system-auth-winbind:
auth include system-auth-use_first_pass
account include system-auth
password include system-auth-use_first_pass
session include system-auth
этого достаточно (проверено на тестовой машине с чистым мастером + та же
самба.) логин в консоли работает, и домашняя папка создана.
работает-то все работает, но правильный ли это путь? и почему
system-auth-winbind глючный, это баг или фича? корректны ли мои
исправления,не сломал ли я чего. м.б следует в system-auth-winbind написать
ссылку на system-auth вместо include в виде sufficient pam_stack
service=system-auth?
btw: для применения аутентификации winbind к другим сервисам, в их pam тоже
придется прописывать system-auth-winbind??
в аттаче конфиги ДО изменений. и вывод diff.
--------
Nick S. Grechukh
kolyag@mail.ru
Refractory Trading House, network administrator.
[-- Attachment #2: login --]
[-- Type: text/plain, Size: 534 bytes --]
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
auth optional /lib/security/pam_mail.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_lastlog.so nowtmp
session optional /lib/security/pam_motd.so
session optional /lib/security/pam_console.so
[-- Attachment #3: system-auth --]
[-- Type: text/plain, Size: 473 bytes --]
#%PAM-1.0
auth required /lib/security/pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account required /lib/security/pam_tcb.so shadow fork
password required /lib/security/pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required /lib/security/pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb
session required /lib/security/pam_tcb.so
session required /lib/security/pam_limits.so
[-- Attachment #4: system-auth-winbind --]
[-- Type: text/plain, Size: 531 bytes --]
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth include system-auth-use_first_pass
account sufficient pam_winbind.so
account include system-auth
password sufficient pam_winbind.so
password include system-auth-use_first_pass
# We use pam_mkhomedir to create home dirs for incoming domain users
# Note used umask, it will result in rwxr-x--x access rights
session required pam_mkhomedir.so skel=/etc/skel.ru_RU.CP1251/ umask=0026
session include system-auth
[-- Attachment #5: patch_pam-for-winbind --]
[-- Type: text/x-diff, Size: 1744 bytes --]
--- login 2003-12-16 18:13:30 +0200
+++ ../new/login 2003-12-16 18:17:07 +0200
@@ -1,11 +1,11 @@
#%PAM-1.0
auth required /lib/security/pam_securetty.so
-auth required /lib/security/pam_stack.so service=system-auth
+auth required /lib/security/pam_stack.so service=system-auth-winbind
auth required /lib/security/pam_nologin.so
auth optional /lib/security/pam_mail.so
-account required /lib/security/pam_stack.so service=system-auth
-password required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth
+account required /lib/security/pam_stack.so service=system-auth-winbind
+password required /lib/security/pam_stack.so service=system-auth-winbind
+session required /lib/security/pam_stack.so service=system-auth-winbind
session optional /lib/security/pam_lastlog.so nowtmp
session optional /lib/security/pam_motd.so
session optional /lib/security/pam_console.so
--- system-auth-winbind 2003-12-16 18:13:10 +0200
+++ ../new/system-auth-winbind 2003-12-16 18:21:08 +0200
@@ -2,12 +2,12 @@
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so
-auth include system-auth-use_first_pass
+#auth include system-auth-use_first_pass
account sufficient pam_winbind.so
-account include system-auth
+#account include system-auth
password sufficient pam_winbind.so
-password include system-auth-use_first_pass
+#password include system-auth-use_first_pass
# We use pam_mkhomedir to create home dirs for incoming domain users
# Note used umask, it will result in rwxr-x--x access rights
session required pam_mkhomedir.so skel=/etc/skel.ru_RU.CP1251/ umask=0026
-session include system-auth
+#session include system-auth
next reply other threads:[~2003-12-16 16:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-16 16:33 Kolya Grechukh [this message]
2003-12-16 17:10 ` Kolya Grechukh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200312161833.03178.ngrechukh@ua.fm \
--to=ngrechukh@ua.fm \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git