Pam-list Digest, Vol 23, Issue 6

Andreas Schindler schindler at az1.de
Mon Jan 9 18:42:12 UTC 2006 

pam-list-request at redhat.com wrote:

>> I'm feeling a bit stuck on this, so any suggestions gratefully 
>> received. I'm trying to set up a Linux-based IMAP server that will 
>> authenticate against users on a Windows 2003 SBS domain controller.
>> ...
>> I have set the /etc/pam.d/imap very simply, similar to that discussed 
>> at <http://www.flatmtn.com/computer/Linux-Samba.html#Samba-2>:
>>
>> #%PAM-1.0
>> auth       required     /lib/security/pam_winbind.so
>> account    required     /lib/security/pam_winbind.so
>> session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel 
>> umask=0022 debug
>>
>> And I'm a bit unclear as to why similar configurations seem to be 
>> working for everyone else & not me...

Try this, it works for me with uw-imapd, so it should work for cyrus 
too. This is my /etc/pam.d/imap:

xxxx at wega:~# cat /etc/pam.d/imap
#%PAM-1.0
auth    sufficient      pam_winbind.so  unknown_ok
auth    required        pam_unix.so     use_first_pass
#
account sufficient      pam_winbind.so  unknown_ok
account required        pam_unix.so
#
session  required       pam_permit.so

Some notes: The option 'unknown_ok' is necessary to prevent pam_winbind
from returning failure if the user name cannot be verified via 
getpwnam(), although the authentication did succeed.

Please make sure your /etc/nsswitch.conf is set up correctly too:

xxxx at wega:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files winbind
shadow:         files winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Last not least you may wish to temporarily add a debug option to 
pam_winbind that will show you what's going on during authentication:

auth    sufficient      pam_winbind.so  unknown_ok debug

Now have a lok at /var/log/auth.log.

By the way, did you check the basic operation of winbind anyway ?

xxxxæwega:~ wbinfo -t
checking the trust secret via RPC calls succeeded

xxxx at wega:~ wbinfo -u

administrator
guest
dc1fm$
krbtgt
schindler
dopc00$
dopc02$
sirius$
...

Regards, Andreas
-- 
Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich

Telefon 06103-57187-21
Telefax 06103-373245

schindler at az1.de
www.az1.de

More information about the Pam-list mailing list