[Fwd: PAM question]

Buchan Milne bgmilne at cae.co.za
Thu Jan 25 13:58:25 GMT 2001


Sorry about this, it's a bit off-topic, but the list I have psted this
to seems to be down at the moment, and I think I might find someone who
can help me here ...

-------- Original Message --------
Subject: PAM question
Date: Wed, 24 Jan 2001 22:42:26 +0200
From: Buchan Milne <bgmilne at cae.co.za>
Organization: Stellenbosch Automotive Engineering
To: Expert Linux List <expert at linux-mandrake.com>

I am currently trying to get authentication of wu-imap from a samba PDC
using the pam_smb module.

I have managed to be able to login on the console with my windows
password, and have even managed to log in via ssh using my windows
password. However, following the same principles, I haven't managed to
connect to the imap server. I have compiled wu-imap from source, with
"make lnp" which is supposed to compile with pam support. Entries in the
file /var/log/security indicate the the imap server is indeed using PAM.

Here are the 2 working pam config files:
/etc/pam.d/login:
#%PAM-1.0
auth       required /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_smb_auth.so debug
auth       sufficient   /lib/security/pam_pwdb.so shadow nullok
use_first_pass
auth       required /lib/security/pam_nologin.so
account    required /lib/security/pam_pwdb.so
password   required /lib/security/pam_cracklib.so
password   required /lib/security/pam_pwdb.so nullok use_authtok shadow
md5
session    required /lib/security/pam_pwdb.so
session    optional /lib/security/pam_console.so

/etc/pam.d/sshd:
#%PAM-1.0
auth        sufficient     /lib/security/pam_pwdb.so shadow nodelay
auth        sufficient  /lib/security/pam_smb_auth.so debug
use_first_pass
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok
use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so

Here is my current file for imap:
/etc/pam.d/imap:
#%PAM-1.0
auth        sufficient  /lib/security/pam_pwdb.so shadow nullok
auth        sufficient  /lib/security/pam_smb_auth.so debug
use_first_pass
account     required    /lib/security/pam_pwdb.so

As you will see, in each case I simply changed the auth required line
for pam_pwdb to auth sufficient and added an auth sufficient line for
pam_smb, adding use_first_pass with the 2nd of the 2.

Here is a tail of /var/log/security following a successful ssh login and
failed imap connection:

Jan 24 23:00:07 www imapd[12758]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:00:07 www imapd[12758]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:01:53 www imapd[12768]: connect from 146.232.146.2
Jan 24 23:01:59 www sshd[12769]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:01:59 www sshd[12769]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:02:07 www imapd[12806]: connect from 146.232.146.2
Jan 24 23:02:07 www imapd[12806]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:02:07 www imapd[12806]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.
Jan 24 23:02:08 www imapd[12768]: pam_smb: Local UNIX username/password
check incorrect.
Jan 24 23:02:08 www imapd[12768]: pam_smb: Configuration Data, Primary
CAEPDC, Backup CAEPDC, Domain CAE.

Does anyone have any advice for me ... the idea here is to let all the
windows lusers read email on the imap/pop server without them having to
keep 2 passwords sync'ed, not for me to be able to log into the machines
with passwords that might have been sniffed ;-)

Buchan

(P.S. This machine is Linux-Mandrake 7.1 with samba 2.0.7, pdc is more
or less the same)

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work               +27 82 472 2231 * +27 21 808 2497
Stellenbosch Automotive Engineering         http://www.cae.co.za





More information about the samba-ntdom mailing list