Re: help with samba and ldap on centos 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Darn, still no dice...this is so weird....

Aaron

Ross S. W. Walker wrote:
 
I think you might need the 'obey pam restrictions = yes' in your smb.conf file too.
 
       obey pam restrictions (G)
              When Samba  3.0  is  configured  to  enable  PAM  support  (i.e.
              --with-pam),  this  parameter  will control whether or not Samba
              should obey PAM's account and session management directives. The
              default  behavior  is  to  use PAM for clear text authentication
              only and to ignore any account or session management. Note  that
              Samba  always  ignores  PAM  for  authentication  in the case of
              encrypt passwords = yes. The reason is that PAM  modules  cannot
              support  the  challenge/response authentication mechanism needed
              in the presence of SMB password encryption.
 
              Default: obey pam restrictions = no
-Ross
 


From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
Sent: Monday, August 06, 2007 2:13 PM
To: CentOS mailing list
Subject: Re: help with samba and ldap on centos 5

This may be related to centos 5, or more likely the version of samba that it ships with, and the option not to encrypt passwords:
encrypt passwords = no

This same smb.conf file works great in centos 4....any ideas?  Thanks.

Aaron

Aaron Bliss wrote:
Ross,
I re-ran authconfig, system-auth now has what you mentioned, however server still isn't working.....any other ideas?

Thanks again.
Aaron

testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[ITS]"
Processing section "[sysadmin2]"
Processing section "[daf]"
Processing section "[first share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = ITSN
        server string = filecity2
        encrypt passwords = No
        username map = /etc/samba/smbusers
        log level = 1
        log file = /var/log/samba/samba.log
        max log size = 50
        debug timestamp = No
        max xmit = 32768
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=2048 SO_SNDBUF=204
        load printers = No
        printcap name = /etc/printcap
        show add printer wizard = No
        dns proxy = No
        wins server = 137.21.7.5
        ldap ssl = no
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template shell = /bin/bash
        nt acl support = No
        cups options = raw

[first share]
        comment = test share here
        path = /export
        valid users = abliss
        read >

Ross S. W. Walker wrote:
 
Try running this:
 
authconfig --kickstart --enablelocauthorize
 
And see if that does the trick, what you want to see under 'account'
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
The above command should do the trick.
 
-Ross
 


From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
Sent: Monday, August 06, 2007 11:41 AM
To: CentOS mailing list
Subject: Re: help with samba and ldap on centos 5

Hi Ross,
I used authconfig to configure the box.  Here are the configs:

cat /etc/nsswitch.conf | grep -v \#
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

cat /etc/sysconfig/authconfig
USEWINBINDAUTH=no
USEKERBEROS=no
USESYSNETAUTH=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=yes
USEWINBIND=no
USESHADOW=yes
USEDB=no
USEHESIOD=no
USEPASSWDQC=no
USELDAP=yes
USELOCAUTHORIZE=no
USEMD5=yes
USECRACKLIB=yes
USENIS=no

Thanks again.
Aaron

Ross S. W. Walker wrote:
-----Original Message-----
From: centos-bounces@xxxxxxxxxx 
[mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Aaron Bliss
Sent: Monday, August 06, 2007 11:16 AM
To: centos@xxxxxxxxxx
Subject:  help with samba and ldap on centos 5

Hi everyone; I'm having some trouble with samba on a centos 5 
box; the 
box has been configured to authenticate against an ldap server via 
authconfig....authentication for normal use (console, ssh) works 
great....I'm having some trouble with samba using single ldap 
users or 
local users....It's rather weird, shares in which access restrictions 
are based upon ldap groups are working fine, getent group shows local 
and ldap groups, however attempting to assign access to a share for 
either a single ldap user or a local user doesn't work, and 
produces the 
following error when trying to hit the share:
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User myuser1 !

For local users, I've added local os accounts as well as 
accounts in the 
samba database with smbpasswd
Any ideas? Thanks for your help.
    

Did you use authconfig to configure ldap auth or did you manually edit
the PAM database?

Can you post a copy of your /etc/sysconfig/authconfig,
/etc/pam.d/system-auth, and a copy of your /etc/nsswitch.conf?

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
  

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.

_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.

_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux