Someone on the pam mailing list suggested I try my
question here.

In our pam.d/imap we have:

account required pam_permit.so
auth sufficient pam_winbind.so try_first_pass

Authentication for imap works fine with this.

If we switch to :

account sufficient pam_winbind.so

for the first line, then logins using their AD password fail.

We also have a non-AD ldap authentication server,
and have found that these line works fine for ldap
(no pam_permit):

account sufficient pam_ldap.so
auth sufficient pam_ldap.so try_first_pass

We would like to implement a pam_groupdn within ldap,
and so that would require using account on both:

account sufficient pam_winbind.so
account sufficient pam_ldap.so

However we can't use the above with pam_winbind failing.

ssh uses /etc/pam.d/system-auth in Redhat, and Redhat has this
account related clump:

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

ssh logins using winbind authentication are working well with the
above account clump in place.

Perhaps I don't understand the meaning of the account section. Wouldn't
the above always succeed due to the pam_permit line?

We are at samba-client-3.0.25b , pam-0.99.6.2-3.26 and
pam_smb-1.1.7-7.2.1

--Donald
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba