PAM on Solaris experiences
Steve Langasek
vorlon at netexpress.net
Fri Apr 6 20:46:34 GMT 2001
On Fri, 6 Apr 2001, Maurice Hoeneveld wrote:
> First of all thanks to Bruce Hudson and Steve Langasek for their response.
> At least it gave me some ideas to experiment with.
> I did experiment with the pam.conf file a little further. Fortunatly there
> are nno hints in the README.PAM from ProFTP but the following is what I
> entered in pam.conf
> It goes wrong at the moment I use line
> ftp account .....
> I replaced them one by one with the pam_unix module but that gave no solution.
> At the moment I enter the mentioned line again (which is in my opinion the
> one to verify the NT domain for the username/password it goes wrong
> A part of my pam.conf;
> #ident "@(#)pam.conf 1.19 95/11/30 SMI"
> #
> # PAM configuration
> #
> # Authentication management
> #
> # for ProFTPd
> ftp auth required /usr/lib/security/pam_smb_auth.so.1 nolocal debug
> ftp account required /usr/lib/security/pam_smb_auth.so.1 nolocal debug
^^^^
You cannot do this if pam_smb_auth does not supply this functionality (and the
error message you got shows that it doesn't). The purpose of the 'account'
rules is to check whether the user is *authorized* to access the service. You
have already verified with the 'auth' line that they have a valid username and
password, the 'account' line is to check whether this user should be allowed
access to the service. Mostly, this is used for checking if an account is
expired or not; if pam_smb_auth doesn't do this as a separate check, you can
use pam_unix (if you use account expirations in /etc/shadow) or pam_permit.
> ftp session required /usr/lib/security/pam_smb_auth.so.1 nolocal debug
Steve Langasek
postmodern programmer
More information about the samba-ntdom
mailing list