What I need to get working: A switch so that any domain user logging on will automatically have home mapped to their share on the win2k server (we have 3 fileservers for the user accounts). In an earlier message, Jerry pointed me to pam_mount.so, which I see in /lib/security, but I don't have any documentation on how to use it, and so far google hasn't brought any joy either. Can someone help? ************************************************************************* This is all quite possible, but we need to do a bit of work to intergrate the components. Currently pam_winbind can't tell pam_mount what server to mount, for example. Also, we have the problem of special files over CIFS - your Win2k server probably will not like attemptes to create symbolic links. At the very least what we need to do is modify pam_winbind to store a token containing the homedir location, for pam_mount to pinch. Andrew Bartlett ************************************************************************* Ok. Before I start digging into the source I wanted to ask if this is an appropriate question to put to samba-technical. Also, to clarify, when you use the word "we" here, are you referring to you and I, or you and the rest of the intrepid Samba team? While I will happily do what I can, I'm not sure that I'd be much help when it comes to editing much more than a shell script =] ************************************************************************* 'we' probably referes to whowever decides do take on doing some code in this project ;-) It isn't actually that hard. What you need to do is cause nsswitch/winbind_pam.c to return the extra information as in a structured string format. pam_winbind then reads the extra strings off the end of the logon reply, and stashes the information away. We already return the NDR encoded form of this data, but that isn't much use for external tools such as pam_mount. File a bug against this, so it can be tracked. pick ntlm_auth as the component (that is where the implementation should start, then put it into pam_winbind). Andrew Bartlett
It seems to me that one big component of this is that when a user logs in, Samba >should< pick up a kerberos ticket for that user, but this is not what is happening in my case at least. klist shows that the primary ticket is set to the domain user who is logged in, but kinit is not occurring - I have to actually run kinit (and enter the password) to pick up the ticket. It is only then that I can use the ticket for smbclient, etc. to get into my home directory. Is this a secondary bug, or do I just need to fix a config issue?
later. no one has touched it in a year.