Hi,<br><br>Thanks for this suggestion. I still don't understand why passwd and<br>useradd work OK on RHEL 5 while winbind is set up up for passwd<br>in nsswitch.conf . Odd. Anyway, keeping it to just "files" works fine
<br>for AD based authentication, so that's great.<br><br>I might consider your method down the road when we have a larger<br>implementation of users to handle.<br><br>Regards,<br><br>--Donald<br><br><div class="gmail_quote">
On Jan 8, 2008 10:58 AM, <<a href="mailto:Jonathan.Detert@msoe.edu">Jonathan.Detert@msoe.edu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
* D G Teed <<a href="mailto:donald.teed@gmail.com">donald.teed@gmail.com</a>> [080108 07:43]:<br><div class="Ih2E3d">> On RHEL 4, I have configured authentication for ssh access<br>> via Active Directory authentication, using the
<br>> system-config-authentication<br>> GUI. Users can login OK with either local authentication or AD<br>> authentication.<br>><br>> However, two system commands are misbehaving. useradd refuses to
<br>> add someone to the system if they are found in AD. The error<br>> is simply in the form of "useradd: user john exists". I've heard<br><br></div>I use MsA.D. for user auth and account info on Debian systems via pam.
<br><br>My guess is that you have more than one source listed in<br>/etc/nsswitch.conf for the 'passwd:' name type, and that one of them<br>indicates MsA.D. (probably 'ldap' or 'winbind').<br><br>If you want to use MsAD solely for auth -
i.e. not for anything else in<br>the traditional passwd(5) entry (e.g. uid, gid, login shell, home dir),<br>then remove the source in /etc/nsswitch.conf for the passwd: name type<br>that uses MsAD.<br><br>That would allow you to useradd and passwd to your heart's content, and
<br>only operate on the values in your local /etc/passwd file. The only way<br>you'd then use msad would be this:<br><br> if the username in /etc/passwd also existed in msad, you'd do<br> your auth against msad instead of /etc/shadow. The value in
<br> /etc/shadow would be immaterial (but shouldn't be null).<br><br>You may have to modify /etc/pam.d/common-account to not use msad as well<br>- I'm not sure.<br><br>What I do, which you might be interested in, is to use msad for both
<br>auth and passwd(5) info (uid, gid, login-shell, home dir). Note that<br>this does require you to 'extend' your msad schema to include those<br>posix login attributes (but ms provides this kind of extension as a free
<br>option). The beauty of this is that combined w. pam_mkhomedir,<br>pam_winbind, and pam_winbind's 'require_membership' attribute, you can<br>use msad group membership to govern access to your linux server. All
<br>you have to do is put the msad user in the appropriate msad group, and<br>automatically, they have access to your linux server. No useradd. No<br>setting the passwd. Nothing. Just put them in the msad group.<br><br>
Likewise, to revoke a user's access to your server, just remove the<br>luser's msad account from the msad group.<br><div class="Ih2E3d"><br>> the passwd command may also be trying to update the password<br>> on AD rather local.
<br>><br>> We can work around the problem by running the GUI system-config-users<br>> - this works fine to create new users or set the local password.<br>> So I wonder if pam settings for the system-config-users
<br>> GUI are somehow giving us local target for the user creation commands.<br>> Running strings on the useradd command I don't find any pam reference.<br>> There is no pam.d entry for the useradd command as a file named useradd.
<br>><br>> Our intentions are to use AD to authenticate only, not to allow users to<br>> manage<br>> their password or anything about their AD account from the Linux host.<br>><br>> Can anyone give a hint about what we should adjust to point useradd
<br>> and passwd commands to local mechanisms?<br></div>--<br>Jon Detert<br>IT Systems Administrator, Milwaukee School of Engineering<br>1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.<br><font color="#888888">
--<br>"Most of the trouble in the world is caused by people wanting to be important."<br>~ T.S. Eliot<br><br>_______________________________________________<br>Pam-list mailing list<br><a href="mailto:Pam-list@redhat.com">
Pam-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br></font></blockquote></div><br>