[arch-general] samba domain member - check for unix auth first

Łukasz Michalski lm at zork.pl
Sat Aug 10 21:38:58 UTC 2019


I am running samba AD DC as virtual machine from host, which is a samba 
domain member.

I enabled PAM auth using wiki article[1].

My problem is that when host is starting I am unable to login (even as 
root) to it until DC vm starts and winbindd reestablishes connection to DC.

I want to change auth priority: check for unix user first, and if not 
found check in AD.

I tried to change /etc/pam.d/system-auth this way:

[DO NOT use - it does not work]

auth [default=ignore] pam_localuser.so
auth [success=1 default=die] pam_unix.so nullok
auth [default=die] pam_winbind.so
auth requisite pam_deny.so
auth optional  pam_permit.so
auth required  pam_env.so

account required  pam_unix.so
account [success=1 default=ignore] pam_localuser.so
account required pam_winbind.so
account optional  pam_permit.so
account required  pam_time.so

password [default=ignore] pam_localuser.so
password [success=1 default=die] pam_unix.so sha512 shadow
password [default=die] pam_winbind.so
password requisite pam_deny.so
password optional  pam_permit.so

session required  pam_limits.so
session required  pam_unix.so
session required  pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional  pam_permit.so

but it does not work. Anyone has a working example?


More information about the arch-general mailing list