# PAM sshd login fails (auth with winbind from AD) SOLVED

## tuukka

IÂ´m trying to login users from Windows AD. Authentication works fine from the Active Directory but I get this error when trying to login with ssh:

```
Feb  3 16:24:35 [pam_winbind] user 'DOMAIN\USER' granted access

                - Last output repeated 2 times -

Feb  3 16:24:35 [sshd] Accepted keyboard-interactive/pam for DOMAIN\\USER from 172.20.254.14 port 1827 ssh2

Feb  3 16:24:35 [sshd(pam_unix)] session opened for user DOMAIN\USER by (uid=0)

Feb  3 16:24:35 [sshd] fatal: PAM: pam_open_session(): Permission denied

```

In sshd_config I have enabled UsePAM yes  and ChallengeResponseAuthentication yes, as you might guess from the syslog entries.

/etc/pam.d/sshd :

```
auth       required     pam_stack.so service=system-auth

auth       sufficient   pam_winbind.so try_first_pass

auth       required     pam_unix.so try_first_pass

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    sufficient   pam_winbind.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

/etc/pam.d/system-auth :

```
auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_winbind.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass

auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    sufficient    /lib/security/pam_winbind.so

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

```

Any help would be appreciated,

-tuukkaLast edited by tuukka on Thu Feb 24, 2005 11:27 am; edited 1 time in total

----------

## tuukka

Finally figured it out.

Here´s a working config for sshd (there might be something to correct later for security but for now it does what I need):

```
auth       required     pam_securetty.so

auth       sufficient   pam_winbind.so try_first_pass

auth       sufficient   pam_unix.so try_first_pass

auth       required     pam_nologin.so

account    sufficient   pam_winbind.so

account    sufficient   pam_stack.so service=system-auth

password   sufficient   pam_winbind.so

password   required     pam_stack.so service=system-auth

password   required     pam_permit.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0027 silent

session    optional     pam_console.so

session    required     pam_permit.so

```

And in the system-auth the account and password sections (for now sshd doesn´t use any other parts of system-auth):

```
account     sufficient    pam_winbind.so

account     required      pam_unix.so

password    sufficient    pam_winbind.so

password    required      pam_cracklib.so retry=3

password    sufficient    pam_unix.so nullok use_authtok md5 shadow

password    required      pam_deny.so

```

I really urge anyone having problems with pam authentication to read the rfc and the module descriptions well. They´re a very good documentation. 

Hope this helps someone.

-tuukka

----------

