Swat Authorization problem w/PAM
Scott Mann
Scott.Mann at lefthandnetworks.com
Tue Oct 23 10:45:07 GMT 2001
"Kroboth, Joe" wrote:
>
> Hello,
>
> Installed the binary RPM
> (http://de.samba.org/samba/ftp/Binary_Packages/redhat/RPMS/7.1/) for samba
> 2.2.2 on my redhat 7.1 server. I got winbind to work and my samba server is
> now using NT usernames and groups. I was very unsure about how modify the
> pam.d files. The only file I changed was the /etc/pam.d/samba file. I
> pulled this configuration from another mail post.
>
> /etc/pam.d/samba--------------------------------------
>
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_winbind.so
> auth required /lib/security/pam_pwdb.so use_first_pass
> shadow nullok
> account required /lib/security/pam_winbind.so
> session required /lib/security/pam_pwdb.so
> password required /lib/security/pam_pwdb.so
>
Hi Joe,
I believe that RH 7.1 uses the centralized /etc/pam.d/system-auth
file. You can set you /etc/pam.d/samba file to mimic /etc/pam.d/login
or the like.
Here's my /etc/pam.d/samba
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
The pam_stack.so module invokes the specified service (system-auth in
this case which means that you must have a /etc/pam.d/system-auth file).
Here's my /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so debug
auth sufficient /lib/security/pam_unix.so use_first_pass
likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_winbind.so
#account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow nis
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Note the pam_windbind entries and the auth pam_unix entry with the
"use_first_pass"
argument. You could probably replace the pam_unix stuff with pam_pwdb
if you prefer that. Anyway, this configuration works for me using
swat and, in particular, correctly authenticates local/nis users vs.
domain
users.
Hope this helps.
Scott
> -----------------------------------------------------------------
>
> This seems to work fine for all but SWAT.
>
> I am able to log into swat using a NT domain name and password (DOMAIN+name
> and password) but I do not have full access to changing the config file.
> When I try to log in as root I receive an authorization failure.
>
> Hoping someone could point me in the right direction.
>
> Thanks
>
> Joe
>
> Joe Kroboth
> IT Director
> Chernay Printing, Inc
> 7483 South Main Street
> PO BOX 199
> Coopersburg, PA 18036
> 610.282.3774 EXT 113
> 610.282.2982 FAX
> joe_kroboth at chernay.com
> www.chernay.com
More information about the samba-ntdom
mailing list