RE: Windows Domain Authentication
> > Is anybody using the Windows Domain Authentication for his Debian
> > Machine?
> >
> > I had it once working, but since I reinstalled the system,
> I can't get
> > it work.
> > wbinfo -u
> > and
> > kinit <username>
> > works without errors, so I think krb5.conf and smb.conf are correct.
> >
> > However, I cannot login with the windows domain accounts,
> so I guess
> > pam.d must be misconfigured.
> > But I chose the same configuration as the last time:
> >
> > /etc/pam.d/common-account:
> > ----
> > account required /lib/security/pam_winbind.so
> > ----
> >
> > /etc/pam.d/common-auth
> > ----
> > auth sufficient pam_winbind.so
> > auth required pam_unix.so nullok_secure use_first_pass
> > ----
> >
> > /etc/pam.d/common-password
> > ----
> > password required pam_unix.so nullok obscure
> > min=4 max=50 md5
> > ----
> >
> > /etc/pam.d/common-session
> > ----
> > session required pam_unix.so
> > session optional pam_mkhomedir.so umask=0077
> > skel=/etc/skel/
> > ----
> >
> > /etc/pam.d/login
> > ----
> > auth requisite pam_securetty.so
> >
> > auth requisite pam_nologin.so
> >
> > auth required pam_env.so
> >
> > @include common-auth
> > @include common-account
> > @include common-session
> >
> > session required pam_limits.so
> > session optional pam_lastlog.so
> > session optional pam_motd.so
> >
> > session optional pam_mail.so standard noenv
> > @include common-password
> > ----
> >
>
> What server OS? NT4? 2000? 2003?
>
> I have a debian X terminal server authenticating from an NT domain.
>
> Do you have the default domain for winbind set in smb.conf
> (iuse default domain) or are you remembering to enter your
> username as domain\username...?
The server OS is 2003.
I should be able to make a ssh-session and locale console login with
just the Windows Domain user name.
At least, that was possible with my old setup.
I did not even have to change /etc/pam.d/ssh, since it includes
common-auth, common-account and common-session.
I don't have an X-Server installed.
My smb.conf looks like this:
---
[global]
netbios name = bilinux2
#workgroup = WICRESOFT
realm = WICRESOFT.COM
security = ads
password server = ws-dc-01 ws-dc-02
encrypt passwords = yes
windind use default domain = yes
winbind separator = \\
idmap uid = 1000-2000
idmap gid = 1000-2000
winbind enum users = yes
winbind enum groups = yes
template homedir = home/winnt/%U
template shell = /bin/bash
[public]
path = /var/winnt
writeable = yes
locking = no
---
testparm complains, since it does not recognize the '\\' escaping, but
the last time I figured out, that shared folder only work with this
seperator.
I guess the configuration should be ok, since 'wbinfo -u' works.
/etc/nsswitch.conf looks like this:
---
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
---
Reply to: