Swat Authorization problem w/PAM

Kroboth, Joe joe_kroboth at chernay.com
Tue Oct 23 10:59:03 GMT 2001


Hi Scott,

That did the trick.  Thanks for your help!

Joe

-----Original Message-----
From: Scott Mann [mailto:Scott.Mann at lefthandnetworks.com]
Sent: Tuesday, October 23, 2001 1:48 PM
To: Kroboth, Joe
Cc: 'samba-ntdom at lists.samba.org'
Subject: Re: Swat Authorization problem w/PAM


"Kroboth, Joe" wrote:
> 
> Hello,
> 
> Installed the binary RPM
> (http://de.samba.org/samba/ftp/Binary_Packages/redhat/RPMS/7.1/) for samba
> 2.2.2 on my redhat 7.1 server.  I got winbind to work and my samba server
is
> now using NT usernames and groups.  I was very unsure about how modify the
> pam.d files.  The only file I changed was the /etc/pam.d/samba file.  I
> pulled this configuration from another mail post.
> 
> /etc/pam.d/samba--------------------------------------
> 
> auth            required        /lib/security/pam_securetty.so
> auth            required        /lib/security/pam_nologin.so
> auth            sufficient      /lib/security/pam_winbind.so
> auth            required        /lib/security/pam_pwdb.so use_first_pass
> shadow nullok
> account         required        /lib/security/pam_winbind.so
> session         required        /lib/security/pam_pwdb.so
> password        required        /lib/security/pam_pwdb.so
> 
Hi Joe,

I believe that RH 7.1 uses the centralized /etc/pam.d/system-auth
file. You can set you /etc/pam.d/samba file to mimic /etc/pam.d/login
or the like.

Here's my /etc/pam.d/samba
auth       required	/lib/security/pam_nologin.so
auth       required	/lib/security/pam_stack.so service=system-auth
account    required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth

The pam_stack.so module invokes the specified service (system-auth in
this case which means that you must have a /etc/pam.d/system-auth file).

Here's my /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth	    sufficient	  /lib/security/pam_winbind.so debug
auth        sufficient    /lib/security/pam_unix.so use_first_pass
likeauth nullok
auth        required      /lib/security/pam_deny.so

account	    required	  /lib/security/pam_winbind.so
#account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow nis
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Note the pam_windbind entries and the auth pam_unix entry with the
"use_first_pass"
argument. You could probably replace the pam_unix stuff with pam_pwdb
if you prefer that. Anyway, this configuration works for me using
swat and, in particular, correctly authenticates local/nis users vs.
domain
users.

Hope this helps.
Scott

> -----------------------------------------------------------------
> 
> This seems to work fine for all but SWAT.
> 
> I am able to log into swat using a NT domain name and password
(DOMAIN+name
> and password) but I do not have full access to changing the config file.
> When I try to log in as root I receive an authorization failure.
> 
> Hoping someone could point me in the right direction.
> 
> Thanks
> 
> Joe
> 
> Joe Kroboth
> IT Director
> Chernay Printing, Inc
> 7483 South Main Street
> PO BOX 199
> Coopersburg, PA 18036
> 610.282.3774 EXT 113
> 610.282.2982 FAX
> joe_kroboth at chernay.com
> www.chernay.com




More information about the samba-ntdom mailing list