pam/winbind user not found problem

Les Mikesell les at futuresource.com
Thu Jul 16 21:24:52 UTC 2009 

RB wrote:
>
>> This isn't strictly a PAM issue, but rather with the default RHEL5.x
>> configuration (and Centos, and probably fedora).  Does anyone know what they
>> were thinking?
> 
> Ostensibly, they were trying to authenticate system users without
> passing said users' credentials on to winbind.  Whether intentional or
> not, it seems they assumed users would have a UID that could be
> resolved by pam_unix.  That's often the case, but with proper
> enterprise-level user management (no local accounts) the assumption
> breaks.
> 
>> Should most pam auth modules know anything about uid's?
> 
> By all means - auth is probably the most important place for UIDs/GIDs
> to be known.

What's supposed to happen with pam_smb_auth?

>> I thought that was account info.  If the idea is to keep the 'system' accounts
>> (below 500 by convention)in the passwd file, is there a better way to do it?
> 
> Probably should have used something to this effect instead of 'requisite':
> 
> [success=ok new_authtok_reqd=ok ignore=ignore default=die user_unknown=ignore]
> 
> Which is, of course, according to pam.conf(5) the same as 'requisite'
> with the added control of ignoring unknown users.  Allows the stack to
> shortcut if it's a system user with bad credentials but still passes
> completely unresolved credentials on.

I have several Linux systems where I use pam_smb and local auth so 
people in the windows domain don't need to manage a separate password. 
Some of these have web services that don't require a local account and 
the login and password should work for either local linux users or 
windows domain users.   Some have local accounts for people who actually 
log in.  Is there a better way to handle this?  I'd like:
  (A) to not require the Linux boxes to join the windows domain.
  (B) to be able to add users that don't exist in the windows domain.
which I have now, but I'd also like:
  (C) common uid/gid's across linux machines for both domain and 
non-domain users and
  (D) central password management for my non-domain users
  (E) the ability for apps like subversion and apache to access the same 
authentication, seeing both domain and non-domain logins.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the Pam-list mailing list