[Samba] Samba PDC trying rid null logins

Reed, Tameika TReed at wa.aacisd.com
Tue Nov 18 01:56:08 GMT 2003




> We are trying to have linux authenticate to linux server running samba
> 3.0.  We have the XP Pro, 6.2 redhat, and 7.3 redhat machines.  They all
> authenticate to the linux server but we are having problems with blank
> passwords or the user can type any password.  We are using pam modules for
> the authentication on the client machines.
> I have included the config files for the server and the client (smb.conf).
> I have also included the pam_modules setup on the clients.  We want all
> the username and passwords stored on the server.  There will not be any
> users on the clients their information will be pulled from the server.
> This includes telnet, ftp, and logins.  We have got most of this working
> except for the blank passwords.  We have configured this several different
> ways.  This is our latest idea so this is what is in the lab right now.
> 
> We have gotten that to work but we are having problems with null logins.
> In other words if I type a username and leave the password field blank I
> still can login.  If I put in a password of any kind I still can get in.
> Also we have changed so that the null logins are not accepted ( at least
> we think) but if you attempted login repeatedly you can still get in by
> not typing a password or by typing any password.  I am not sure if the
> samba PDC does cached logins if so I am not aware of how to turn this off
> if this is the case. I sending you my config file to see if you can tell
> me if I am going in the right direction and if not how can I correct the
> matter.  This is a mixed environment so there are  6.2, 7.3 and windows xp
> pro machines in the setup.  The information that I am sending you deals
> with the linux clients as redhat 6.2 with samba 2.2.8 and authenticating
> to redhat 7.3 with samba 3.0.0 on the server.
> 
> I am not sure if the pam modules need to be upgraded for redhat 6.2 or if
> this is just totally impossible?
> I did not include the nsswitch.conf file but it is configured as follows
> 
> 
> passwd 	files winbind
> groups		files winbind
> hosts		files winbind
> 
> The iptables and ipchains are turned off on the server and client.
>    
> 
> 
>  <<ftp.txt>>  <<sshd.txt>>  <<login.txt>>  <<passwd.txt>>  <<samba.txt>>  
> <<smb.conf>>  <<su.txt>>  <<smb_server.conf>> 
> 
> 
> Thanks 
> 
> Tameika Reed
> 
-------------- next part --------------
#%PAM-1.0

auth       required	/lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

#this line was changed should be pam_pwdb
auth       sufficient	/lib/security/pam_winbind.so shadow 

auth       required	/lib/security/pam_shells.so

#this line was changed should be pam_pwdb
account    required	/lib/security/pam_winbind.so

session    required	/lib/security/pam_pwdb.so
-------------- next part --------------
#%PAM-1.0
auth       required     /lib/security/pam_winbind.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_winbind.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_winbind.so shadow use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so
-------------- next part --------------
#%PAM-1.0
#Requires logins to be from tty
#auth	    required    /lib/security/pam_securetty.so

#Passes enviroment variables
#auth       required	/lib/security/pam_env.so

#A domain account is sufficient to bypass the rest of the
#auth lines
auth	   sufficient   /lib/security/pam_winbind.so

#if the user doesn't have a domain account then check
#for local unix accounts (root, or unix-smb synced accounts)
auth       sufficient	/lib/security/pam_unix.so use_first_pass likeauth nullok

#If everything above fails, deny
#auth       required	/lib/security/pam_deny.so

#If the above auth lines fail, deny all logins
auth       required	/lib/security/pam_nologin.so

#Check domain account?
account    sufficient   /lib/security/pam_winbind.so
#account    required	/lib/security/pam_unix.so
#account    required	/lib/security/pam_deny.so

#password   required	/lib/security/pam_cracklib.so retry=3
#password   sufficient	/lib/security/pam_unix.so use_authtok md5 shadow
#password   required	/lib/security/pam_deny.so

#Set user limits to resources, ie. cpu, memory, processes, # of 
#concurrent logins, etc.
#session    required    /lib/security/pam_limits.so

#session    required	/lib/security/pam_unix.so

#If the user doesn't have a home directory, then one will be made
#in /home/username
session    required	/lib/security/pam_mkhomedir.so skel=/etc/skel/ umaks=0022
session	   optional	/lib/security/pam_console.so
-------------- next part --------------
#%PAM-1.0
auth       required	/lib/security/pam_winbind.so shadow 
account    required	/lib/security/pam_winbind.so
password   required	/lib/security/pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=3
password   required	/lib/security/pam_unix.so use_authtok md5 shadow
-------------- next part --------------
auth		required	pam_winbind.so
account		required	pam_winbind.so
session		required	pam_mkhomedir.so skel=/etc/samba/skel umask=0022
password	required	pam_unix.so
-------------- next part --------------
#%PAM-1.0
auth       required     /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/security/suok
auth       required     /lib/security/pam_wheel.so use uid
auth       required	/lib/security/pam_pwdb.so shadow 
account    required	/lib/security/pam_pwdb.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_pwdb.so shadow use_authtok 
session    required	/lib/security/pam_pwdb.so
session    optional	/lib/security/pam_xauth.so


More information about the samba mailing list