# FreeBSD, GDM, sudo and PAM



## scolyo (Feb 22, 2012)

Hi folks,

I'm trying to fully integrate my FreeBSD box on my Active Directory. I successfully make sshd working against the AD, but not GDM and SUDO.

I've all the AD's users in the list of GDM, but but *I* can't log in. So I've try to use a file called /etc/pam.d/gdm that contain the same things for the sshd service:


```
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		sufficient	/usr/local/lib/pam_winbind.so
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
account		required	pam_nologin.so
#account	required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	/usr/local/lib/pam_mkhomedir.so
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
```

But what *I* don't understand, is that the file is renamed gdm_disabled by the system

Anyone who could explain me what's happen and how to log in with GDM and Gnome on my FreeBSD box against my AD's users will be my hero. Idem for sudo, is there a pam config file somewhere for sudoing with ad's users?

Thanks in advance

Ps: My system is a FreeBSD 9.0 Release amd64 up to date.


----------



## scolyo (Feb 24, 2012)

I find the solution:

in /usr/local/etc/pam.d/gdm:

```
#
# $FreeBSD: ports/x11/gdm/files/gdm.pam.in,v 1.7 2010/07/25 19:35:05 kwm Exp $
#    $MCom: ports-stable/x11/gdm/files/gdm.pam.in,v 1.3 2010/07/21 13:50:46 kwm Exp $
#
# PAM configuration for the "gdm" service
#

# auth
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		sufficient	/usr/local/lib/pam_winbind.so
auth		required	pam_unix.so		no_warn try_first_pass
auth		optional	/usr/local/lib/pam_gnome_keyring.so

# account
account		required	pam_nologin.so
#account 	required	pam_krb5.so
account		required	pam_unix.so

# session
#session 	optional	pam_ssh.so
session		required	/usr/local/lib/pam_mkhomedir.so
session		required	pam_permit.so
session		optional	/usr/local/lib/pam_gnome_keyring.so	auto_start
```

and in /usr/local/etc/pam.d/sudo

```
#
# $FreeBSD: ports/security/sudo/files/pam.conf,v 1.5 2008/04/09 16:44:28 tmclaugh Exp $
#
# PAM configuration for the "sudo" service
#

# auth

auth		sufficient	/usr/local/lib/pam_winbind.so
auth		include		system

# account
account		include		system

# session
# XXX: pam_lastlog (used in system) causes users to appear as though
# they are no longer logged in in system logs.
session		required	pam_permit.so

# password
password	include		system
```

*A*ny comments are welcome.

Thanks


----------

