[Samba] Authenticating against linux before windows - Samba

This is a discussion on [Samba] Authenticating against linux before windows - Samba ; We have a samba server running on linux with winbindd. We want the linux passwd file to be consulted first, and then if it fails, continue on to use winbind. I did not set this up, and I've never administrated ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Authenticating against linux before windows

  1. [Samba] Authenticating against linux before windows

    We have a samba server running on linux with winbindd. We want the
    linux passwd file to be consulted first, and then if it fails, continue on
    to use winbind. I did not set this up, and I've never administrated a
    samba server before. I have read the O'Reilly Using Samba book,
    and looking at the config files I believe it is set up to get the
    desired behavior.

    /etc/nsswitch.conf has:

    passwd: files winbind
    shadow: files winbind
    group: files winbind

    /etc/pam.d/system-auth has:

    auth required /lib/security/pam_env.so
    auth sufficient /lib/security/pam_unix.so likeauth nullok
    auth sufficient /lib/security/pam_winbind.so use_first_pass
    auth required /lib/security/pam_deny.so

    account required /lib/security/pam_unix.so broken_shadow
    account sufficient /lib/security/pam_localuser.so
    account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
    account [default=bad success=ok user_unknown=ignore]
    /lib/security/pam_winbind.so
    account required /lib/security/pam_permit.so

    password requisite /lib/security/pam_cracklib.so retry=3
    password sufficient /lib/security/pam_unix.so nullok use_authtok
    md5 shadow
    password sufficient /lib/security/pam_winbind.so use_authtok
    password required /lib/security/pam_deny.so

    session optional /lib/security/pam_mkhomedir.so
    skel=/etc/skel umask=0022
    session required /lib/security//pam_limits.so
    session required /lib/security/pam_unix.so

    However, every time a user who exists only on the linux side authenticates I
    see a message like this in winbindd.log:

    [2007/04/02 17:18:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
    user 'XXXX' does not exist

    This makes me think that it's authenticating using winbind first.

    So my questions are:

    1) Am I correct that the log messages I see mean that it's authenticating
    using winbind first?

    2) If so, how do I make it use the linux files before winbind?

    3) If not, why do I get those messages, and what do that mean?

    TIA!
    -larry
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Authenticating against linux before windows

    On Mon, 2007-04-02 at 17:24 -0600, Larry Martell wrote:
    > So my questions are:
    >
    > 1) Am I correct that the log messages I see mean that it's authenticating
    > using winbind first?


    No.

    > 2) If so, how do I make it use the linux files before winbind?


    NA

    > 3) If not, why do I get those messages, and what do that mean?


    Enumeration of groups in nsswitch, nothing you have to worry, but you
    could set the log level to 0 so that you don't get these messages.

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    email: idra@samba.org
    http://samba.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Authenticating against linux before windows

    On 4/2/07, simo wrote:
    > On Mon, 2007-04-02 at 17:24 -0600, Larry Martell wrote:
    > > So my questions are:
    > >
    > > 1) Am I correct that the log messages I see mean that it's authenticating
    > > using winbind first?

    >
    > No.
    >
    > > 2) If so, how do I make it use the linux files before winbind?

    >
    > NA
    >
    > > 3) If not, why do I get those messages, and what do that mean?

    >
    > Enumeration of groups in nsswitch, nothing you have to worry, but you
    > could set the log level to 0 so that you don't get these messages.


    Thanks for the reply. What exactly does 'Enumeration of groups' mean in this
    context? Why does nsswitch check for groups on winbind when a user is
    successfully authenticated against the linux passwd file first?

    Thanks!
    -larry
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread