United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Account Links: Cart Your Account Logout
Adding pam_winbind.so to your server's PAM configuration will result in a tighter integration of your server with the rest of the domain. Your network users will authenticate with the same domain account and get the same home directory on the server, regardless of how they access the server (examples: local console login, ssh, ftp, etc.).
It is assumed that the system administrator is already knowledgeable with the manipulation of PAM configuration files and understands which other types of user information and authentication are needed in the server's authentication configuration for the environment the server functions in. The example provided is based upon a system which only uses local and Winbind-enumerated domain accounts for either user information or user authentication.
This procedure involves manual editing of the /etc/pam.d/system-auth file, the server's main PAM authentication configuration file. You should make a backup copy of your existing /etc/pam.d/system-auth file before making any changes and keep an extra root login session open to the server in case you have to revert to the previous system-auth file because of a typographical error or invalid configuration. Also, keep in mind that manual edits to system-auth will probably be lost if authentication configuration utilities such as authconfig are run later, so you should also make a backup copy of the edited system-auth file after editing it and testing for proper function.
Generally speaking, if a server uses the winbind service to enumerate domain users and groups and uses pam_winbind.so to allow the system to authenticate domain users, the server should not have other user information or authentication sources (Kerberos, LDAP) enabled in authconfig which refer to the same domain users. In other words, for example, do not configure your server to use Winbind and LDAP to both point to the same users in the same Active Directory.
It is also assumed that the winbind service is already properly configured and working on the server. Other Red Hat Knowledgebase articles contain details on how to configure winbind.
It is also assumed that the domain user's home directory has already been created on the system in the correct location, because winbind cannot create home directories. The correct location for any given user's home directory is governed by the macro-expanded value for the template homedir statement in /etc/samba/smb.conf.
The following is a working example of an /etc/pam.d/system-auth file which will allow domain users to log in on the server using any service which uses PAM's system-auth configuration file:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
Note that some releases of Red Hat Enterprise Linux have slightly different contents in /etc/pam.d/system-auth. The importance of the example above is to show known-working syntax of adding pam_winbind.so to the system-auth file.
This being said, the proper format of the username would be DOMAIN+username, where DOMAIN is the short domain name (ie, not the full Active Directory Realm name, if it is a 2000 or 2003 DC), plus the winbind separator character, plus the username. Users will need to provide their username in this format in all PAM methods of logon to the server.
When the changes are completed and saved, you should be able to log in to the server using the domain user account (in the format described above):
Red Hat Enterprise Linux AS release 3 (Taroon Update 4) Kernel 2.4.21-27.0.2.ELsmp on an i686 samba1 login: DOMAIN+testuser Password: Last login: Thu Apr 7 12:47:43 on tty1 [DOMAIN+testuser@samba1 testuser]$
Note: You will see something like this instead if the user's home directory has not been created or not created in the right location:
Red Hat Enterprise Linux AS release 3 (Taroon Update 4) Kernel 2.4.21-27.0.2.ELsmp on an i686 samba1 login: DOMAIN+testuser Password: Last login: Thu Apr 7 12:47:43 on tty1 No directory /homes/DOMAIN/testuser! Logging in with home = "/". -bash-2.05b$
To provide another example, the domain account can now also be used for FTP access to the server:
$ ftp samba1 Connected to samba1.smbtest.bogus. 220 (vsFTPd 1.2.1) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (samba1:testuser): DOMAIN+testuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.
For more information regarding Winbind configuration, we would recommend the following sources of information:
