PAM on Solaris experiences

Steve Langasek vorlon at
Fri Apr 6 20:46:34 GMT 2001

On Fri, 6 Apr 2001, Maurice Hoeneveld wrote:

> First of all thanks to Bruce Hudson and Steve Langasek for their response.

> At least it gave me some ideas to experiment with.
> I did experiment with the pam.conf file a little further. Fortunatly there
> are nno hints in the README.PAM from ProFTP but the following is what I
> entered in pam.conf

> It goes wrong at the moment I use line
> ftp     account  .....
> I replaced them one by one with the pam_unix module but that gave no solution.
> At the moment I enter the mentioned line again (which is in my opinion the
> one to verify the NT domain for the username/password it goes wrong

> A part of my pam.conf;

> #ident  "@(#)pam.conf 1.19     95/11/30 SMI"
> #
> # PAM configuration
> #
> # Authentication management
> #
> # for ProFTPd
> ftp     auth    required        /usr/lib/security/ nolocal debug

> ftp     account required        /usr/lib/security/ nolocal debug


You cannot do this if pam_smb_auth does not supply this functionality (and the
error message you got shows that it doesn't).  The purpose of the 'account'
rules is to check whether the user is *authorized* to access the service.  You
have already verified with the 'auth' line that they have a valid username and
password, the 'account' line is to check whether this user should be allowed
access to the service.  Mostly, this is used for checking if an account is
expired or not; if pam_smb_auth doesn't do this as a separate check, you can
use pam_unix (if you use account expirations in /etc/shadow) or pam_permit.

> ftp     session required        /usr/lib/security/ nolocal debug

Steve Langasek
postmodern programmer

More information about the samba-ntdom mailing list