Comment 8 for bug 570944

gmoore777 (guy-moore) wrote :

Is this what you need?

$ cd /etc/pam.d
$ cat common-auth common-session-noninteractive common-session common-password common-account | grep -v "^#"

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
session required pam_unix.so
session optional pam_winbind.so
session optional pam_ck_connector.so nox11

password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so

Here is the smb.conf, with comments removed and substituted in
<shortDOMAINname>, <MACHINEX>, <DOMAIN> where appropriate.

[global]
workgroup = <shortDOMAINname>
security = ADS
password server = <MACHINE1>.<DOMAIN>.com, <MACHINE2>.<DOMAIN>.com
realm = <DOMAIN>.COM
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
idmap backend = idmap_rid:<DOMAIN>=50-9999999999
idmap uid = 50-9999999999
idmap gid = 50-9999999999
allow trusted domains = no
winbind offline logon = true
template shell = /bin/bash
template homedir = /home/%D/%U
winbind normalize names = yes
winbind use default domain = yes
usershare allow guests = yes