7069817 ADS authentication via winbind fails for ssh after patch Samba 3.5.8 update patch is installed build-174
authorJiri Sasek <Jiri.Sasek@Sun.COM>
Wed, 31 Aug 2011 06:50:24 -0700
changeset 504 1e7038bb308c
parent 503 ce18ad078a65
child 505 310ffa9f1045
7069817 ADS authentication via winbind fails for ssh after patch Samba 3.5.8 update patch is installed 7028089 Local user account password management fails with winbind active in PAM and nsswitch.conf
components/samba/samba/Solaris/pam.conf-winbind
--- a/components/samba/samba/Solaris/pam.conf-winbind	Tue Aug 30 11:01:10 2011 -0700
+++ b/components/samba/samba/Solaris/pam.conf-winbind	Wed Aug 31 06:50:24 2011 -0700
@@ -1,24 +1,8 @@
 #
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
+# 
 #
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
 #
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
 #
 # PAM configuration
 #
@@ -36,7 +20,8 @@
 login	auth requisite		pam_authtok_get.so.1
 login	auth required		pam_dhkeys.so.1
 login	auth required		pam_unix_cred.so.1
-login	auth required		pam_unix_auth.so.1
+login	auth sufficient		pam_winbind.so.1	try_first_pass
+login	auth binding		pam_unix_auth.so.1	server_policy
 login	auth required		pam_dial_auth.so.1
 #
 # rlogin service (explicit because of pam_rhost_auth)
@@ -45,13 +30,13 @@
 rlogin	auth requisite		pam_authtok_get.so.1
 rlogin	auth required		pam_dhkeys.so.1
 rlogin	auth required		pam_unix_cred.so.1
+rlogin	auth sufficient		pam_winbind.so.1	try_first_pass
 rlogin	auth required		pam_unix_auth.so.1
 #
 # Kerberized rlogin service
 #
 krlogin	auth required		pam_unix_cred.so.1
-krlogin	auth binding		pam_krb5.so.1
-krlogin	auth required		pam_unix_auth.so.1
+krlogin	auth required		pam_krb5.so.1
 #
 # rsh service (explicit because of pam_rhost_auth,
 # and pam_unix_auth for meaningful pam_setcred)
@@ -62,14 +47,12 @@
 # Kerberized rsh service
 #
 krsh	auth required		pam_unix_cred.so.1
-krsh	auth binding		pam_krb5.so.1
-krsh	auth required		pam_unix_auth.so.1
+krsh	auth required		pam_krb5.so.1
 #
 # Kerberized telnet service
 #
 ktelnet	auth required		pam_unix_cred.so.1
-ktelnet	auth binding		pam_krb5.so.1
-ktelnet	auth required		pam_unix_auth.so.1
+ktelnet	auth required		pam_krb5.so.1
 #
 # PPP service (explicit because of pam_dial_auth)
 #
@@ -79,105 +62,12 @@
 ppp	auth required		pam_unix_auth.so.1
 ppp	auth required		pam_dial_auth.so.1
 #
-# Default definitions for Authentication management
-# Used when service name is not explicitly mentioned for authentication
-#
-other	auth requisite		pam_authtok_get.so.1
-other	auth required		pam_dhkeys.so.1
-other	auth required		pam_unix_cred.so.1
-other	auth required		pam_unix_auth.so.1
-#
-# passwd command (explicit because of a different authentication module)
-#
-passwd	auth required		pam_passwd_auth.so.1
-#
-# cron service (explicit because of non-usage of pam_roles.so.1)
-#
-cron	account required	pam_unix_account.so.1
-#
-# Default definition for Account management
-# Used when service name is not explicitly mentioned for account management
-#
-other	account requisite	pam_roles.so.1
-other	account sufficient	pam_unix_account.so.1
-other	account required	pam_winbind.so
-#
-# Default definition for Session management
-# Used when service name is not explicitly mentioned for session management
-#
-other	session required	pam_unix_session.so.1
-#
-# Default definition for  Password management
-# Used when service name is not explicitly mentioned for password management
-#
-other	password required	pam_dhkeys.so.1
-other	password requisite	pam_authtok_get.so.1
-other	password requisite	pam_authtok_check.so.1
-other	password required	pam_winbind.so
-other	password required	pam_authtok_store.so.1
-#
-# Support for Kerberos V5 authentication and example configurations can
-# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
-#
-#
-# PAM configuration
-#
-# Unless explicitly defined, all services use the modules
-# defined in the "other" section.
-#
-# Modules are defined with relative pathnames, i.e., they are
-# relative to /usr/lib/security/$ISA. Absolute path names, as
-# present in this file in previous releases are still acceptable.
+# GDM Autologin (explicit because of pam_allow).  These need to be
+# here as there is no mechanism for packages to amend pam.conf as
+# they are installed.
 #
-# Authentication management
-#
-# login service (explicit because of pam_dial_auth)
-#
-login	auth requisite		pam_authtok_get.so.1
-login	auth required		pam_dhkeys.so.1
-login	auth required		pam_unix_cred.so.1
-login	auth required		pam_unix_auth.so.1
-login	auth required		pam_dial_auth.so.1
-#
-# rlogin service (explicit because of pam_rhost_auth)
-#
-rlogin	auth sufficient		pam_rhosts_auth.so.1
-rlogin	auth requisite		pam_authtok_get.so.1
-rlogin	auth required		pam_dhkeys.so.1
-rlogin	auth required		pam_unix_cred.so.1
-rlogin	auth required		pam_unix_auth.so.1
-#
-# Kerberized rlogin service
-#
-krlogin	auth required		pam_unix_cred.so.1
-krlogin	auth binding		pam_krb5.so.1
-krlogin	auth required		pam_unix_auth.so.1
-#
-# rsh service (explicit because of pam_rhost_auth,
-# and pam_unix_auth for meaningful pam_setcred)
-#
-rsh	auth sufficient		pam_rhosts_auth.so.1
-rsh	auth required		pam_unix_cred.so.1
-#
-# Kerberized rsh service
-#
-krsh	auth required		pam_unix_cred.so.1
-krsh	auth binding		pam_krb5.so.1
-krsh	auth required		pam_unix_auth.so.1
-#
-# Kerberized telnet service
-#
-ktelnet	auth required		pam_unix_cred.so.1
-ktelnet	auth binding		pam_krb5.so.1
-ktelnet	auth required		pam_unix_auth.so.1
-#
-# PPP service (explicit because of pam_dial_auth)
-#
-ppp	auth requisite		pam_authtok_get.so.1
-ppp	auth required		pam_dhkeys.so.1
-ppp	auth required		pam_unix_cred.so.1
-ppp	auth required		pam_unix_auth.so.1
-ppp	auth required		pam_dial_auth.so.1
+gdm-autologin auth  required    pam_unix_cred.so.1
+gdm-autologin auth  sufficient  pam_allow.so.1
 #
 # Default definitions for Authentication management
 # Used when service name is not explicitly mentioned for authentication
@@ -185,35 +75,51 @@
 other	auth requisite		pam_authtok_get.so.1
 other	auth required		pam_dhkeys.so.1
 other	auth required		pam_unix_cred.so.1
+other	auth sufficient		pam_winbind.so.1	try_first_pass
 other	auth required		pam_unix_auth.so.1
 #
 # passwd command (explicit because of a different authentication module)
 #
-passwd	auth required		pam_passwd_auth.so.1
+passwd	auth binding		pam_passwd_auth.so.1	server_policy
+passwd	auth required		pam_winbind.so.1
 #
 # cron service (explicit because of non-usage of pam_roles.so.1)
 #
 cron	account required	pam_unix_account.so.1
 #
+# cups service (explicit because of non-usage of pam_roles.so.1)
+#
+cups	account	required	pam_unix_account.so.1
+#
+# GDM Autologin (explicit because of pam_allow) This needs to be here
+# as there is no mechanism for packages to amend pam.conf as they are
+# installed.
+#
+gdm-autologin account  sufficient  pam_allow.so.1
+#
 # Default definition for Account management
 # Used when service name is not explicitly mentioned for account management
 #
 other	account requisite	pam_roles.so.1
-other	account sufficient	pam_unix_account.so.1
-other	account required	pam_winbind.so
+other	account sufficient	pam_winbind.so.1
+other	account binding		pam_unix_account.so.1	server_policy
 #
 # Default definition for Session management
 # Used when service name is not explicitly mentioned for session management
 #
 other	session required	pam_unix_session.so.1
+other	session required	pam_winbind.so.1	try_first_pass
 #
-# Default definition for  Password management
+# Default definition for Password management
 # Used when service name is not explicitly mentioned for password management
 #
 other	password required	pam_dhkeys.so.1
 other	password requisite	pam_authtok_get.so.1
-other	password requisite	pam_authtok_check.so.1
-other	password required	pam_winbind.so
+# Password construction requirements apply to all users.
+# Remove force_check to have the traditional authorized administrator
+# bypass of construction requirements.
+other	password requisite	pam_authtok_check.so.1	force_check
+other	password sufficient	pam_winbind.so.1	try_first_pass
 other	password required	pam_authtok_store.so.1
 #
 # Support for Kerberos V5 authentication and example configurations can