Winbind package does not provide PAM configuration

Thanks we will take a look at this for jaunty.

Regards
chuck

Adapted from krb5

I tried that file (winbind) that Edgar provided in the /usr/share/pam-configs and it re-wrote the /etc/pam.d/ files -- I have yet to test login to the console from the Windows AD.

was able to log in to machine (console and ssh) using AD creds...

Now if I can figure out the strange things in the log file ... (doesn't show on other server with slightly older samba but very similar configuration)

Edgar,

My opinion is that pam_unix should be tried before pam_winbind. Sending your root password to Active Directory is Not a good idea.

The same applies to pam-krb5 if it does that.

This is successfully tested /usr/share/pam-configs/winbind from http://ubuntuforums.org/showthread.php?t=1184605:

Name: Winbind authentication
Default: yes
Priority: 255
Auth-Type: Primary
Auth:
 [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
Auth-Initial:
 [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE
Account-Type: Primary
Account:
 [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Account-Initial:
 [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Session-Type: Additional
Session:
 required pam_mkhomedir.so umask=0022 skel=/etc/skel
Session-Initial:
 required pam_mkhomedir.so umask=0022 skel=/etc/skel

Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566890

Since it's not the Samba project, I don't know how to link to this bug.

An alternate, but similar pam-config is discussed at:
http://mattonrails.wordpress.com/2008/10/27/vpc-ubuntu-810-beta-and-active-directory/

Name: Active Directory via Winbind
Default: yes
Priority: 500
Auth-Type: Primary
Auth:
        [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
Auth-Initial:
        [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE
Account-Type: Primary
Account:
        [success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
        required pam_mkhomedir.so umask=0022 skel=/etc/skel

     Drew Daniels
Resume: http://www.boxheap.net/~ddaniels/resume.html

fixed in debian, please merge 3.4.7 from testing/unstable

This bug was fixed in the package samba - 2:3.4.7~dfsg-1ubuntu1

---------------
samba (2:3.4.7~dfsg-1ubuntu1) lucid; urgency=low

  * Merge from debian testing. Remaining changes:
    + debian/patches/VERSION.patch:
      - set SAMBA_VERSION_SUFFIX to Ubuntu.
    + debian/smb.conf:
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
        to show users how to restrict access to \\server\username to only username.
      - Set 'usershare allow guests', so that usershare admins are allowed to create
        public shares in additon to authenticated ones.
      - add map to guest = Bad user, maps bad username to gues access.
    + debian/samba-common.conf:
      - Do not change priority to high if dhclient3 is installed.
      - Use priority medium instead of high for the workgroup question.
    + debian/mksambapasswd.awk:
      - Do not add user with UID less than 1000 to smbpasswd.
    + debian/control:
      - Make libswbclient0 replace/conflict with hardy's likewise-open.
      - Don't build against ctdb, since its not in main yet.
    + debian/rules:
      - Enable "native" PIE hardening.
      - Add BIND_NOW to maximize benefit of RELRO hardening.
    + Add ufw integration:
      - Created debian/samba.ufw.profile.
      - debian/rules, debian/samba.dirs, debian/samba.files: install
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
    + debian/control: Recommend keyutils for smbfs (LP: #493565)
    + debian/patches/ubuntu-gecos-fix.patch: Fix gecos parsing backported from Samba 3.5.x (LP: #182572)
    + debian/samba.postinst: Avoid scary pdbedit warnings on first import. (LP: #24741)
    + debian/samba.logrotate: Make it upstart compatible (LP: #529290)
    + debian/samba-common.dhcp: Fix typo to get a proper parsing in /etc/samba/dhcp. (LP: #507374)
    + Dropped:
      debian/patches/debian/patches/security-CVE-2010-0728.patch: Included upstream.

samba (2:3.4.7~dfsg-1) unstable; urgency=low

  [ Steve Langasek ]
  * Add a PAM profile for pam_winbind. Closes: #566890, LP: #282751.
  * Add the correct versioned build dependency on libtalloc-dev as
    we need 2.0.1 to build samba. Closes: #572603
  * Add avr32 to arches with a build dependency on ctdb. Closes: #572126

  [ Christian Perrier ]
  * New upstream release. Security fix: all smbd processes inherited
    CAP_DAC_OVERRIDE capabilities, allowing all file system access to be
    allowed even when permissions should have denied access.
 -- Chuck Short <email address hidden> Fri, 19 Mar 2010 21:17:40 +0000