# HG changeset patch # User Jiri Sasek # Date 1314798624 25200 # Node ID 1e7038bb308ce1660928bea5ba39a6f172b2275c # Parent ce18ad078a65d66129f7bd64184c98b446bebbe9 7069817 ADS authentication via winbind fails for ssh after patch Samba 3.5.8 update patch is installed 7028089 Local user account password management fails with winbind active in PAM and nsswitch.conf diff -r ce18ad078a65 -r 1e7038bb308c components/samba/samba/Solaris/pam.conf-winbind --- a/components/samba/samba/Solaris/pam.conf-winbind Tue Aug 30 11:01:10 2011 -0700 +++ b/components/samba/samba/Solaris/pam.conf-winbind Wed Aug 31 06:50:24 2011 -0700 @@ -1,24 +1,8 @@ # -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. +# # -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. # -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. # # PAM configuration # @@ -36,7 +20,8 @@ login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 -login auth required pam_unix_auth.so.1 +login auth sufficient pam_winbind.so.1 try_first_pass +login auth binding pam_unix_auth.so.1 server_policy login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) @@ -45,13 +30,13 @@ rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 +rlogin auth sufficient pam_winbind.so.1 try_first_pass rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 -krlogin auth binding pam_krb5.so.1 -krlogin auth required pam_unix_auth.so.1 +krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) @@ -62,14 +47,12 @@ # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 -krsh auth binding pam_krb5.so.1 -krsh auth required pam_unix_auth.so.1 +krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 -ktelnet auth binding pam_krb5.so.1 -ktelnet auth required pam_unix_auth.so.1 +ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # @@ -79,105 +62,12 @@ ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # -# Default definitions for Authentication management -# Used when service name is not explicitly mentioned for authentication -# -other auth requisite pam_authtok_get.so.1 -other auth required pam_dhkeys.so.1 -other auth required pam_unix_cred.so.1 -other auth required pam_unix_auth.so.1 -# -# passwd command (explicit because of a different authentication module) -# -passwd auth required pam_passwd_auth.so.1 -# -# cron service (explicit because of non-usage of pam_roles.so.1) -# -cron account required pam_unix_account.so.1 -# -# Default definition for Account management -# Used when service name is not explicitly mentioned for account management -# -other account requisite pam_roles.so.1 -other account sufficient pam_unix_account.so.1 -other account required pam_winbind.so -# -# Default definition for Session management -# Used when service name is not explicitly mentioned for session management -# -other session required pam_unix_session.so.1 -# -# Default definition for Password management -# Used when service name is not explicitly mentioned for password management -# -other password required pam_dhkeys.so.1 -other password requisite pam_authtok_get.so.1 -other password requisite pam_authtok_check.so.1 -other password required pam_winbind.so -other password required pam_authtok_store.so.1 -# -# Support for Kerberos V5 authentication and example configurations can -# be found in the pam_krb5(5) man page under the "EXAMPLES" section. -# -# -# PAM configuration -# -# Unless explicitly defined, all services use the modules -# defined in the "other" section. -# -# Modules are defined with relative pathnames, i.e., they are -# relative to /usr/lib/security/$ISA. Absolute path names, as -# present in this file in previous releases are still acceptable. +# GDM Autologin (explicit because of pam_allow). These need to be +# here as there is no mechanism for packages to amend pam.conf as +# they are installed. # -# Authentication management -# -# login service (explicit because of pam_dial_auth) -# -login auth requisite pam_authtok_get.so.1 -login auth required pam_dhkeys.so.1 -login auth required pam_unix_cred.so.1 -login auth required pam_unix_auth.so.1 -login auth required pam_dial_auth.so.1 -# -# rlogin service (explicit because of pam_rhost_auth) -# -rlogin auth sufficient pam_rhosts_auth.so.1 -rlogin auth requisite pam_authtok_get.so.1 -rlogin auth required pam_dhkeys.so.1 -rlogin auth required pam_unix_cred.so.1 -rlogin auth required pam_unix_auth.so.1 -# -# Kerberized rlogin service -# -krlogin auth required pam_unix_cred.so.1 -krlogin auth binding pam_krb5.so.1 -krlogin auth required pam_unix_auth.so.1 -# -# rsh service (explicit because of pam_rhost_auth, -# and pam_unix_auth for meaningful pam_setcred) -# -rsh auth sufficient pam_rhosts_auth.so.1 -rsh auth required pam_unix_cred.so.1 -# -# Kerberized rsh service -# -krsh auth required pam_unix_cred.so.1 -krsh auth binding pam_krb5.so.1 -krsh auth required pam_unix_auth.so.1 -# -# Kerberized telnet service -# -ktelnet auth required pam_unix_cred.so.1 -ktelnet auth binding pam_krb5.so.1 -ktelnet auth required pam_unix_auth.so.1 -# -# PPP service (explicit because of pam_dial_auth) -# -ppp auth requisite pam_authtok_get.so.1 -ppp auth required pam_dhkeys.so.1 -ppp auth required pam_unix_cred.so.1 -ppp auth required pam_unix_auth.so.1 -ppp auth required pam_dial_auth.so.1 +gdm-autologin auth required pam_unix_cred.so.1 +gdm-autologin auth sufficient pam_allow.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication @@ -185,35 +75,51 @@ other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 +other auth sufficient pam_winbind.so.1 try_first_pass other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # -passwd auth required pam_passwd_auth.so.1 +passwd auth binding pam_passwd_auth.so.1 server_policy +passwd auth required pam_winbind.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # +# cups service (explicit because of non-usage of pam_roles.so.1) +# +cups account required pam_unix_account.so.1 +# +# GDM Autologin (explicit because of pam_allow) This needs to be here +# as there is no mechanism for packages to amend pam.conf as they are +# installed. +# +gdm-autologin account sufficient pam_allow.so.1 +# # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 -other account sufficient pam_unix_account.so.1 -other account required pam_winbind.so +other account sufficient pam_winbind.so.1 +other account binding pam_unix_account.so.1 server_policy # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 +other session required pam_winbind.so.1 try_first_pass # -# Default definition for Password management +# Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 -other password requisite pam_authtok_check.so.1 -other password required pam_winbind.so +# Password construction requirements apply to all users. +# Remove force_check to have the traditional authorized administrator +# bypass of construction requirements. +other password requisite pam_authtok_check.so.1 force_check +other password sufficient pam_winbind.so.1 try_first_pass other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can