RE: help with samba and ldap on centos 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Also I am not sure these are needed:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

You really only need these if you are using an authorization
source that doesn't provide compatible UIDs and GIDs (winbind).

-Ross
  

> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Ross S. W. Walker
> Sent: Monday, August 06, 2007 2:19 PM
> To: CentOS mailing list
> Subject: RE:  help with samba and ldap on centos 5
> 
>  
> I think you might need the 'obey pam restrictions = yes' in 
> your smb.conf file too.
>  
>        obey pam restrictions (G)
>               When Samba  3.0  is  configured  to  enable  
> PAM  support  (i.e.
>               --with-pam),  this  parameter  will control 
> whether or not Samba
>               should obey PAM's account and session 
> management directives. The
>               default  behavior  is  to  use PAM for clear 
> text authentication
>               only and to ignore any account or session 
> management. Note  that
>               Samba  always  ignores  PAM  for  
> authentication  in the case of
>               encrypt passwords = yes. The reason is that PAM 
>  modules  cannot
>               support  the  challenge/response authentication 
> mechanism needed
>               in the presence of SMB password encryption.
>  
>               Default: obey pam restrictions = no
> 
> -Ross
>  
> 
> 
> 
> ________________________________
> 
> 	From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
> 	Sent: Monday, August 06, 2007 2:13 PM
> 	To: CentOS mailing list
> 	Subject: Re:  help with samba and ldap on centos 5
> 	
> 	
> 	This may be related to centos 5, or more likely the 
> version of samba that it ships with, and the option not to 
> encrypt passwords:
> 	encrypt passwords = no
> 	
> 	This same smb.conf file works great in centos 4....any 
> ideas?  Thanks.
> 	
> 	Aaron
> 	
> 	Aaron Bliss wrote: 
> 
> 		Ross,
> 		I re-ran authconfig, system-auth now has what 
> you mentioned, however server still isn't working.....any other ideas?
> 		
> 		Thanks again.
> 		Aaron
> 		
> 		testparm
> 		Load smb config files from /etc/samba/smb.conf
> 		Processing section "[ITS]"
> 		Processing section "[sysadmin2]"
> 		Processing section "[daf]"
> 		Processing section "[first share]"
> 		Loaded services file OK.
> 		Server role: ROLE_STANDALONE
> 		Press enter to see a dump of your service definitions
> 		
> 		[global]
> 		        workgroup = ITSN
> 		        server string = filecity2
> 		        encrypt passwords = No
> 		        username map = /etc/samba/smbusers
> 		        log level = 1
> 		        log file = /var/log/samba/samba.log
> 		        max log size = 50
> 		        debug timestamp = No
> 		        max xmit = 32768
> 		        socket options = TCP_NODELAY 
> IPTOS_LOWDELAY SO_RCVBUF=2048 SO_SNDBUF=204
> 		        load printers = No
> 		        printcap name = /etc/printcap
> 		        show add printer wizard = No
> 		        dns proxy = No
> 		        wins server = 137.21.7.5
> 		        ldap ssl = no
> 		        idmap uid = 16777216-33554431
> 		        idmap gid = 16777216-33554431
> 		        template shell = /bin/bash
> 		        nt acl support = No
> 		        cups options = raw
> 		
> 		[first share]
> 		        comment = test share here
> 		        path = /export
> 		        valid users = abliss
> 		        read only = No
> 		
> 		
> 		Ross S. W. Walker wrote: 
> 
> 			 
> 			Try running this:
> 			 
> 			authconfig --kickstart --enablelocauthorize
> 			 
> 			And see if that does the trick, what 
> you want to see under 'account'
> 			 
> 			account     required      pam_unix.so 
> broken_shadow
> 			account     sufficient    pam_localuser.so
> 			account     sufficient    
> pam_succeed_if.so uid < 500 quiet
> 			account     [default=bad success=ok 
> user_unknown=ignore] pam_ldap.so
> 			account     required      pam_permit.so
> 			 
> 			The above command should do the trick.
> 			 
> 			-Ross
> 			 
> 
> 
> ________________________________
> 
> 				From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
> 				Sent: Monday, August 06, 2007 11:41 AM
> 				To: CentOS mailing list
> 				Subject: Re:  help with 
> samba and ldap on centos 5
> 				
> 				
> 				Hi Ross,
> 				I used authconfig to configure 
> the box.  Here are the configs:
> 				
> 				cat /etc/nsswitch.conf | grep -v \#
> 				passwd:     files ldap
> 				shadow:     files ldap
> 				group:      files ldap
> 				hosts:      files dns
> 				bootparams: nisplus 
> [NOTFOUND=return] files
> 				ethers:     files
> 				netmasks:   files
> 				networks:   files
> 				protocols:  files ldap
> 				rpc:        files
> 				services:   files ldap
> 				netgroup:   files ldap
> 				publickey:  nisplus
> 				automount:  files ldap
> 				aliases:    files nisplus
> 				
> 				cat /etc/pam.d/system-auth
> 				#%PAM-1.0
> 				# This file is auto-generated.
> 				# User changes will be 
> destroyed the next time authconfig is run.
> 				auth        required      pam_env.so
> 				auth        sufficient    
> pam_unix.so nullok try_first_pass
> 				auth        requisite     
> pam_succeed_if.so uid >= 500 quiet
> 				auth        sufficient    
> pam_ldap.so use_first_pass
> 				auth        required      pam_deny.so
> 				
> 				account     required      
> pam_unix.so broken_shadow
> 				account     sufficient    
> pam_succeed_if.so uid < 500 quiet
> 				account     [default=bad 
> success=ok user_unknown=ignore] pam_ldap.so
> 				account     required      pam_permit.so
> 				
> 				password    requisite     
> pam_cracklib.so try_first_pass retry=3
> 				password    sufficient    
> pam_unix.so md5 shadow nullok try_first_pass use_authtok
> 				password    sufficient    
> pam_ldap.so use_authtok
> 				password    required      pam_deny.so
> 				
> 				session    required    
> pam_mkhomedir.so skel=/etc/skel/ umask=0022
> 				session     optional      
> pam_keyinit.so revoke
> 				session     required      pam_limits.so
> 				session     [success=1 
> default=ignore] pam_succeed_if.so service in crond quiet use_uid
> 				session     required      pam_unix.so
> 				session     optional      pam_ldap.so
> 				
> 				cat /etc/sysconfig/authconfig
> 				USEWINBINDAUTH=no
> 				USEKERBEROS=no
> 				USESYSNETAUTH=no
> 				FORCESMARTCARD=no
> 				USESMBAUTH=no
> 				USESMARTCARD=no
> 				USELDAPAUTH=yes
> 				USEWINBIND=no
> 				USESHADOW=yes
> 				USEDB=no
> 				USEHESIOD=no
> 				USEPASSWDQC=no
> 				USELDAP=yes
> 				USELOCAUTHORIZE=no
> 				USEMD5=yes
> 				USECRACKLIB=yes
> 				USENIS=no
> 				
> 				Thanks again.
> 				Aaron
> 				
> 				Ross S. W. Walker wrote: 
> 
> 						-----Original 
> Message-----
> 						From: 
> centos-bounces@xxxxxxxxxx 
> 						
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
> 						Sent: Monday, 
> August 06, 2007 11:16 AM
> 						To: centos@xxxxxxxxxx
> 						Subject: 
>  help with samba and ldap on centos 5
> 						
> 						Hi everyone; 
> I'm having some trouble with samba on a centos 5 
> 						box; the 
> 						box has been 
> configured to authenticate against an ldap server via 
> 						
> authconfig....authentication for normal use (console, ssh) works 
> 						great....I'm 
> having some trouble with samba using single ldap 
> 						users or 
> 						local 
> users....It's rather weird, shares in which access restrictions 
> 						are based upon 
> ldap groups are working fine, getent group shows local 
> 						and ldap 
> groups, however attempting to assign access to a share for 
> 						either a single 
> ldap user or a local user doesn't work, and 
> 						produces the 
> 						following error 
> when trying to hit the share:
> 						
> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User myuser1 !
> 						
> 						For local 
> users, I've added local os accounts as well as 
> 						accounts in the 
> 						samba database 
> with smbpasswd
> 						Any ideas? 
> Thanks for your help.
> 						    
> 
> 					
> 					Did you use authconfig 
> to configure ldap auth or did you manually edit
> 					the PAM database?
> 					
> 					Can you post a copy of 
> your /etc/sysconfig/authconfig,
> 					/etc/pam.d/system-auth, 
> and a copy of your /etc/nsswitch.conf?
> 					
> 					-Ross
> 					
> 					
> ______________________________________________________________________
> 					This e-mail, and any 
> attachments thereto, is intended only for use by
> 					the addressee(s) named 
> herein and may contain legally privileged
> 					and/or confidential 
> information. If you are not the intended recipient
> 					of this e-mail, you are 
> hereby notified that any dissemination,
> 					distribution or copying 
> of this e-mail, and any attachments thereto,
> 					is strictly prohibited. 
> If you have received this e-mail in error,
> 					please immediately 
> notify the sender and permanently delete the
> 					original and any copy 
> or printout thereof.
> 					
> 					
> _______________________________________________
> 					CentOS mailing list
> 					CentOS@xxxxxxxxxx
> 					
> http://lists.centos.org/mailman/listinfo/centos
> 					  
> 
> ________________________________
> 
> 			This e-mail, and any attachments 
> thereto, is intended only for use by the addressee(s) named 
> herein and may contain legally privileged and/or confidential 
> information. If you are not the intended recipient of this 
> e-mail, you are hereby notified that any dissemination, 
> distribution or copying of this e-mail, and any attachments 
> thereto, is strictly prohibited. If you have received this 
> e-mail in error, please immediately notify the sender and 
> permanently delete the original and any copy or printout thereof. 
> 			
> ________________________________
> 
> 
> 			_______________________________________________
> 			CentOS mailing list
> 			CentOS@xxxxxxxxxx
> 			http://lists.centos.org/mailman/listinfo/centos
> 			  
> 
> ________________________________
> 
> This e-mail, and any attachments thereto, is intended only 
> for use by the addressee(s) named herein and may contain 
> legally privileged and/or confidential information. If you 
> are not the intended recipient of this e-mail, you are hereby 
> notified that any dissemination, distribution or copying of 
> this e-mail, and any attachments thereto, is strictly 
> prohibited. If you have received this e-mail in error, please 
> immediately notify the sender and permanently delete the 
> original and any copy or printout thereof. 
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux