hei, seems as sitting in the same boat.... > Hop, > > to, 2003-12-11 kello 11:33, Grosswiler Roger kirjoitti: >> Ho Mauri, >> >> That's what i got from Nalin from Redhat: >> >> To finish up, you'll need to make sure that the user has a home >> directory for gdm, kdm, and the like, but logging in at the console >> should work at this point, even if the user doesn't have a home >> directory. >> > > Actually this wasn't the reason. I did several things but the most > important was to restart X and GDM. GDM now lets ntdomain-users to log > in but gnome chokes completely (or orbit or gconfd or whatever). As the > KDE works with ntdomain-users I'll let it be. > >> and that's how i tried to resolve this problem (but still not so far, as >> i >> still cannot authenticate) so i hope this will work: >> winbind separator = - >> idmap uid = 20000-30000 -> do they have to match >> linux-users? >> winbind gid = 20000-30000 -> do they have to match >> linux-groups? > > No, they don't have to match Linux-users or groups. thx! > >> winbind enum users = yes >> winbind enum groups = yes >> winbind cache time = 10 >> template homedir = /user/%U -> the homedir >> template shell = /bin/bash -> and a shell >> >> Do you know, have the idmap uid and winbind gid numbers to match the >> linux-group numbers?? >> > > No. thx! > >> i feel like the first rookie on this planet, as i still do not >> understand, >> why winbind has tu run on clients to, if i tell fedora to authenticate >> at >> MYDOMAIN at SERVER. if have activated this using >> redhat-config-authentication and just checked Samba-Auth and entered >> DOMAIN and SERVER. >> > > What are you actually trying to do? Trying to make Linux-clients to > authenticate from DOMAIN (that is what I'm trying to do)? Or trying to > use smb shares from Linux clients on server that authenticates from > DOMAIN or is a domain controller? In the later case you do not need > smb_auth or winbind. In the first case you need winbindd to fetch user > data from the DOMAIN. > i am trying to a) authenticate against the DOMAIN, and search a method not tu use FSTAB to mount the smb-shares. I don't like having user- and password-data in this file, even not with smblient-credentials... > >> btw, if i just enter the winbind.so after the pam-unix.so in system-auth >> and just add use_first_pass on pam-unix.so i get funny messages in the >> log: >> Dec 11 10:24:22 morpheus sshd(pam_unix)[26344]: check pass; user unknown >> Dec 11 10:24:22 morpheus pam_winbind[26344]: request failed: Unexpected >> information received, PAM error was 4, NT error was >> NT_STATUS_INVALID_PARAMETER >> Dec 11 10:24:22 morpheus pam_winbind[26344]: internal module error >> (retval >> = 4, user = `NOUSER' > Somehow what winbindd tried to use as a user became null or garbled so > no username was sent. > >> Dec 11 10:24:26 morpheus sshd(pam_unix)[26344]: check pass; user unknown > > Your Linux client doesn't know that user so it fails.. > >> Dec 11 10:24:26 morpheus pam_winbind[26344]: request failed: Unexpected >> information received, PAM error was 4, NT error was >> NT_STATUS_INVALID_PARAMETER >> Dec 11 10:24:26 morpheus pam_winbind[26344]: internal module error >> (retval >> = 4, user = `NOUSER' >> Dec 11 10:24:28 morpheus sshd(pam_unix)[26344]: 2 more authentication >> failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=trinity >> >> if there is NOUSER i tried to authenticate with GWCH-roger (via ssh....) >> >> and here if i login without indication of the domain... >> >> Dec 11 10:25:03 morpheus su(pam_unix)[26393]: authentication failure; >> logname=roger uid=500 euid=0 tty= ruser=roger rhost= user=root >> Dec 11 10:25:06 morpheus pam_winbind[26393]: request failed: Unexpected >> information received, PAM error was 4, NT error was >> NT_STATUS_INVALID_PARAMETER > > What I now have in System-Auth: > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_winbind.so this is also alright for me! > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > use_first_pass > auth required /lib/security/$ISA/pam_deny.so > #account > > > > > required > > > > > > /lib/security/$ISA/pam_unix.so > account required /lib/security/$ISA/pam_winbind.so i haven't entered this! what is it for?? he's looking for an existing account?? > password > > > > required > > > > > > /lib/security/$ISA/pam_cracklib.so > retry=3 > type= > password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 > shadow use_first_pass > password required /lib/security/$ISA/pam_deny.so > session > > > > > required > > > > > > /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > > And in smb.conf concerning winbindd: > > workgroup = NTDOMAIN1 > security = DOMAIN > update encrypted = Yes > obey pam restrictions = Yes > password server = NALLE > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind separator = + > > Other relevant options are as defaults. > > I'm rather sure that this is not the right way to do it especially > concerning the pam configuration but this seems to work somehow except > the gnome. > -- > Mauri "mos" Sahlberg Pretax Systems Oy +358 207 44 2228 > Technology Evangelist Pääskylänrinne 8 +358 207 44 2201 > Bsc Computer Science FIN-00500 Helsinki www.pretax.net > Development Manager Finland > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
