Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders: > Hi, > > I'm trying to configure PAM for my needs all day now, but I can't get it > right. > I have an LDAP server which contains the user login information for my > users. This server also serves the home directory's using NFS. > > On my clients I use pam_ldap to authenticate and I use pam_mount to > mount the home directorys whenever a users logs on. This works fine. The > problem is, whenever a local user on the client logs on, pam_mount trys > to mount a home directory from the server. In my pam configuration I > would like to specify that pam_mount shouldn't be executed whenever a > local user logs on. But I can't figure out how. What about uid's. Normally the local user uid's occupy a different range, say e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if pam_mount can distinguish this, but pam_cifs can do that. You only have to export your users homes via samba (using ldap as well). Don't forget to mount the cifs-shares with option serverino, otherwise you will have problems with kde-files in users home-dirs. > I use the default files > in my '/etc/pam.d/' directory and I've modified the 'common-*' files in > the following way: > > common-account: > account sufficient pam_ldap.so > account required pam_unix.so > > common-auth: > auth required pam_mount.so > auth sufficient pam_ldap.so use_first_pass > auth sufficient pam_unix.so nullok_secure use_first_pass > > common-password: > password sufficient pam_ldap.so > password required pam_unix.so nullok obscure min=4 max=8 md5 > > common-session: > session optional pam_foreground.so > ## I think I should add something overhere > session required pam_mount.so > session sufficient pam_ldap.so > session required pam_unix.so > > I've tried to add a line in the common-session file, something like this: > session [user_unknown=2 default=ignore] pam_ldap.so > Hoping this would skip the next 2 lines if the user wasn't found on the > ldap server. But this doens't seem to work. The following line did work, > but doens't do what I want: > session [default=2] pam_ldap.so > In this case ALL users skip the next two lines. > > Has anyone a clue what I'm doing wrong? Is there something wrong in my > syntax? Or is the complexe approach wrong? > > Greetings, > Heiko > > > > > > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list -- Wilhelm _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
