Find the answer to your Linux question:
Results 1 to 3 of 3
Ok...I have built a small file server that authenticates with an Active Directory server. The server supports about 10 engineers and is primarliy used for storing CAD files. I have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2005
    Posts
    47

    PAM annoyances


    Ok...I have built a small file server that authenticates with an Active Directory server. The server supports about 10 engineers and is primarliy used for storing CAD files. I have also set up VNC to allow users to log into a X session and use X3270 and a few other programs to access our purchasing system. Everything is working fine except for the fact that GDM asks for a password twice when locally created users log in. I know it has something to do with my /etc/pam.d/gdm file, but I"m not quite sure what the problem is.

    Here is my /etc/pam.d/system-auth file
    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
    auth        required      /lib/security/$ISA/pam_deny.so
    
    account     required      /lib/security/$ISA/pam_unix.so
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account     required      /lib/security/$ISA/pam_permit.so
    
    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password    required      /lib/security/$ISA/pam_deny.so
    
    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so
    session	    required	  /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
    And here is my /etc/rc.d/gdm file:
    Code:
    #%PAM-1.0
    auth       required	pam_env.so
    auth	   sufficient	pam_winbind.so
    auth       required	pam_stack.so service=system-auth
    auth       required	pam_nologin.so
    account    sufficient	pam_winbind.so
    account    required	pam_stack.so service=system-auth
    password   sufficient	pam_winbind.so use_authtok
    password   required	pam_stack.so service=system-auth
    session    required	pam_stack.so service=system-auth
    session    optional     pam_console.so
    I have everything setup based off of this: http://www.timkennedy.net/docs/Linux...Directory.html

    Keep in mind that I am an engineer and not a programmer or sysadmin. I know enough about Linux to setup a basic file server to dump files to so I could really use some help figuring out this double login stuff.

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I haven't read the link you posted, but if this were me, I'd add the pam_winbind lines to system-auth instead of gdm, since that means any program can authenticate the AD users, and not just gdm.

    To prevent the "double password problem" you need to set up the PAM modules to reuse the first password entered using the `use_first_pass' directive.

    To combine these two issues, I'd say your files should like as follows. However, I can't test this or anything, so keep in mind that there may well be one or two things that I haven't thought about.

    /etc/pam.d/gdm:
    Code:
    #%PAM-1.0
    auth       required   pam_env.so
    auth       required   pam_stack.so service=system-auth
    auth       required   pam_nologin.so
    account    required   pam_stack.so service=system-auth
    password   required   pam_stack.so service=system-auth
    session    required   pam_stack.so service=system-auth
    session    optional   pam_console.so
    /etc/pam.d/system-auth:
    Code:
    #%PAM-1.0
    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    pam_winbind.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
    auth        required      /lib/security/$ISA/pam_deny.so
    
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account     sufficient    pam_winbind.so
    account     sufficient    /lib/security/$ISA/pam_unix.so
    account     required      /lib/security/$ISA/pam_deny.so
    
    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    password    sufficient    pam_winbind.so use_authtok
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password    required      /lib/security/$ISA/pam_deny.so
    
    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so
    session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022

  3. #3
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    To continue on that track, however:

    Considering how AD uses LDAP and Kerberos, you would probably get a better result if you use nss_ldap and pam_krb5 instead of Samba and winbind. You could potentially get true Kerberos authentication with Single Sign-On and lots of niceities.

    However, I'm not familiar enough with Windows (and thus AD) to recommend any way to set such a thing up. I could set up the Linux side of things, if it wasn't for the fact that I have no idea how the Windows AD server works.

    It's not necessary, of course, but if you have a few spare hours with nothing to do, I could recommend that you check it out.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •