-
PAM annoyances
Ok...I have built a small file server that authenticates with an Active Directory server. The server supports about 10 engineers and is primarliy used for storing CAD files. I have also set up VNC to allow users to log into a X session and use X3270 and a few other programs to access our purchasing system. Everything is working fine except for the fact that GDM asks for a password twice when locally created users log in. I know it has something to do with my /etc/pam.d/gdm file, but I"m not quite sure what the problem is.
Here is my /etc/pam.d/system-auth file
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
And here is my /etc/rc.d/gdm file:
Code:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password sufficient pam_winbind.so use_authtok
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
I have everything setup based off of this: http://www.timkennedy.net/docs/Linux...Directory.html
Keep in mind that I am an engineer and not a programmer or sysadmin. I know enough about Linux to setup a basic file server to dump files to so I could really use some help figuring out this double login stuff.
-
I haven't read the link you posted, but if this were me, I'd add the pam_winbind lines to system-auth instead of gdm, since that means any program can authenticate the AD users, and not just gdm.
To prevent the "double password problem" you need to set up the PAM modules to reuse the first password entered using the `use_first_pass' directive.
To combine these two issues, I'd say your files should like as follows. However, I can't test this or anything, so keep in mind that there may well be one or two things that I haven't thought about.
/etc/pam.d/gdm:
Code:
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/pam.d/system-auth:
Code:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so
account sufficient /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_deny.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient pam_winbind.so use_authtok
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
-
To continue on that track, however:
Considering how AD uses LDAP and Kerberos, you would probably get a better result if you use nss_ldap and pam_krb5 instead of Samba and winbind. You could potentially get true Kerberos authentication with Single Sign-On and lots of niceities.
However, I'm not familiar enough with Windows (and thus AD) to recommend any way to set such a thing up. I could set up the Linux side of things, if it wasn't for the fact that I have no idea how the Windows AD server works.
It's not necessary, of course, but if you have a few spare hours with nothing to do, I could recommend that you check it out.