[Fwd: PAM question]
Buchan Milne
bgmilne at cae.co.za
Thu Jan 25 13:58:25 GMT 2001
Sorry about this, it's a bit off-topic, but the list I have psted this
to seems to be down at the moment, and I think I might find someone who
can help me here ...
-------- Original Message --------
Subject: PAM question
Date: Wed, 24 Jan 2001 22:42:26 +0200
From: Buchan Milne <bgmilne at cae.co.za>
Organization: Stellenbosch Automotive Engineering
To: Expert Linux List <expert at linux-mandrake.com>
I am currently trying to get authentication of wu-imap from a samba PDC
using the pam_smb module.
I have managed to be able to login on the console with my windows
password, and have even managed to log in via ssh using my windows
password. However, following the same principles, I haven't managed to
connect to the imap server. I have compiled wu-imap from source, with
"make lnp" which is supposed to compile with pam support. Entries in the
file /var/log/security indicate the the imap server is indeed using PAM.
Here are the 2 working pam config files:
/etc/pam.d/login:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_smb_auth.so debug
auth sufficient /lib/security/pam_pwdb.so shadow nullok
use_first_pass
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok shadow
md5
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
/etc/pam.d/sshd:
#%PAM-1.0
auth sufficient /lib/security/pam_pwdb.so shadow nodelay
auth sufficient /lib/security/pam_smb_auth.so debug
use_first_pass
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok
use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
Here is my current file for imap:
/etc/pam.d/imap:
#%PAM-1.0
auth sufficient /lib/security/pam_pwdb.so shadow nullok
auth sufficient /lib/security/pam_smb_auth.so debug
use_first_pass
account required /lib/security/pam_pwdb.so
As you will see, in each case I simply changed the auth required line
for pam_pwdb to auth sufficient and added an auth sufficient line for
pam_smb, adding use_first_pass with the 2nd of the 2.
Here is a tail of /var/log/security following a successful ssh login and
failed imap connection:
Jan 24 23:00:07 www imapd[12758]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:00:07 www imapd[12758]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:01:53 www imapd[12768]: connect from 146.232.146.2
Jan 24 23:01:59 www sshd[12769]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:01:59 www sshd[12769]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:02:07 www imapd[12806]: connect from 146.232.146.2
Jan 24 23:02:07 www imapd[12806]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:02:07 www imapd[12806]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:02:08 www imapd[12768]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:02:08 www imapd[12768]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Does anyone have any advice for me ... the idea here is to let all the
windows lusers read email on the imap/pop server without them having to
keep 2 passwords sync'ed, not for me to be able to log into the machines
with passwords that might have been sniffed ;-)
Buchan
(P.S. This machine is Linux-Mandrake 7.1 with samba 2.0.7, pdc is more
or less the same)
--
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 808 2497
Stellenbosch Automotive Engineering http://www.cae.co.za
More information about the samba-ntdom
mailing list