[Samba] root login using /etc/shadow bypassing winbind / ADS
security
Bruce Speidel
Bruce.Speidel at qwest.com
Fri Sep 23 02:36:51 GMT 2005
I'm wondering if anyone has tried use local Solaris NSS files for
root-only login VIA the console or ssh - effectively bypassing
domain security to the PDC using ADS - Windows 2003 AD?
I am not having a problem logging as the non-admin user.
I wish to login to the root account that would not be part
of the ADS domain security eventually over an ssh connection
or directly to /dev/console via a serial link. SSH - next step
after this issue is solved!
My /opt/samba/smb.conf on Solaris 9 file looks like:
[global]
workgroup = ADTEST
realm = ADTEST.AD.LAB
server string = %h server (Samba %v)
security = ADS
update encrypted = Yes
username map = /etc/samba/smbusers
log level = 10
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 500-100000000
idmap gid = 500-100000000
template shell = /bin/bash
winbind cache time = 10
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
[homes]
valid users = %S
read only = No
browseable = No
/etc/nsswitch.conf:
passwd: files winbind
group: files winbind
hosts: files dns winbind
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system
will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr: files
project: files
/etc/pam.conf:
#
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth required /usr/lib/security/pam_winbind.so
try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1 try_first_pass
login auth required pam_dial_auth.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
Thanks in advance!
Bruce
More information about the samba
mailing list