[arch-general] samba domain member - check for unix auth first
Łukasz Michalski
lm at zork.pl
Sat Aug 10 21:38:58 UTC 2019
Hi,
I am running samba AD DC as virtual machine from host, which is a samba
domain member.
I enabled PAM auth using wiki article[1].
My problem is that when host is starting I am unable to login (even as
root) to it until DC vm starts and winbindd reestablishes connection to DC.
I want to change auth priority: check for unix user first, and if not
found check in AD.
I tried to change /etc/pam.d/system-auth this way:
[DO NOT use - it does not work]
auth [default=ignore] pam_localuser.so
auth [success=1 default=die] pam_unix.so nullok
auth [default=die] pam_winbind.so
auth requisite pam_deny.so
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account [success=1 default=ignore] pam_localuser.so
account required pam_winbind.so
account optional pam_permit.so
account required pam_time.so
password [default=ignore] pam_localuser.so
password [success=1 default=die] pam_unix.so sha512 shadow
password [default=die] pam_winbind.so
password requisite pam_deny.so
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_permit.so
but it does not work. Anyone has a working example?
Thanks,
Łukasz
More information about the arch-general
mailing list