# [SOLVED] winbind + ssh

## JC Denton

Has anyone got winbind with ssh to work successfully? When I try to login as a user with DOMAIN+user@host, I see these messages in /var/log:

```
Aug 18 02:58:52 myhost pam_winbind[21285]: user 'MYDOMAIN+captkirk' granted access

Aug 18 02:58:52 myhost sshd[21278]: error: PAM: Authentication service cannot retrieve authentication info. for MYDOMAIN+captkirk from localhost
```

Here's the section from my PAM file (/etc/pam.d/system-auth):

```
#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_winbind.so

auth       required     pam_deny.so

account    required     pam_unix.so

account    sufficient   pam_winbind.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

#password   sufficient   pam_winbind.so

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

```

Any help is greatly appreciated!Last edited by JC Denton on Sat Sep 09, 2006 1:22 am; edited 1 time in total

----------

## JC Denton

Bump.

----------

## JC Denton

Sorry to bump again, but is anyone successfully doing this?

----------

## phlogistonjohn

Did you add winbind to /etc/nsswitch.conf?

PAM is used to authenticate a user, but the entries in nsswitch tell the system what account databases are available.

My nsswitch.conf on a server that uses winbind for Active Directory auth looks like this:

```

passwd:         files winbind

group:          files winbind

shadow:         files winbind

hosts:          files dns

networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis

```

Test to see if it works by typing 'getent passwd' your captkirk account should show up in that list.

----------

## JC Denton

 *phlogistonjohn wrote:*   

> Did you add winbind to /etc/nsswitch.conf?
> 
> PAM is used to authenticate a user, but the entries in nsswitch tell the system what account databases are available.

 

Yep, I've got winbind in for passwd, group, and shadow.

What's weird is that I see winbind grant permission in the system's authlog, but SSHd complains it never receives the authentication info.

 *phlogistonjohn wrote:*   

> Test to see if it works by typing 'getent passwd' your captkirk account should show up in that list.

 

Yes, it does.

Here's my /etc/nsswitch.conf file:

```
# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:      files winbind

shadow:      files winbind

group:       files winbind

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files wins dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

----------

## phlogistonjohn

You have:

```

account    required     pam_unix.so 

account    sufficient   pam_winbind.so 

```

Try and see if reversing the order of the lines does anything... make it:

```

account    sufficient   pam_winbind.so 

account    required     pam_unix.so 

```

IIRC rule traversal order matters. There is a section in the pam manpage that says: "if a prior required module has failed the success of [a sufficient rule] is ignored"

----------

## JC Denton

 *phlogistonjohn wrote:*   

> You have:
> 
> ```
> 
> account    required     pam_unix.so 
> ...

 

That was it! Thank you very, very much  :Smile: !

----------

