W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 23 08:10:48 GMT 2001 

Simo Sorce wrote:
> 
> On Mon, Apr 23, 2001 at 12:04:13AM -0700, Jeremy Allison wrote:
> > On Mon, Apr 23, 2001 at 04:04:55PM +1000, Andrew Bartlett wrote:
> > >
> > > The one's our bug-reporter supplied might be a start :-)
> > >
> > > auth    required        pam_unix.so nullok
> > > account required        pam_unix.so
> > >
> > > This looks perfectly reasonable, as a starting point.  Maybe add debug
> > > to the end of the lines.  You will need to add:
> > >
> > > session required   pam_unix.so
> > >
> > > if you want to access file-shares with the current cvs.
> >
> > Ok - I've been playing with this a bit and I'm coming
> > to the conclusion we should compile Linux Samba with
> > pam turned *OFF* by default, and let those admins
> > who want it recompile with the --with-pam option for
> > a PDC.
> >
> > The problem is we can't know if the system has got
> > shadow passwords enabled or not.
> >
> > I discovered that running with shadow passwords
> > and using the above pam.d/samba file fails completely,
> > with messages such as :
> >
> > PAM: Init user: jallison
> > Gethostbyaddr failed for 192.168.233.2
> > PAM: setting rhost to: 192.168.233.2
> > PAM: setting tty
> > PAM: Init passed for user: jallison
> > PAM: Account Management for User: jallison
> > PAM: UNKNOWN ERROR for User: jallison
> > PAM: Account Check Failed : Authentication service cannot retrieve
> > authentication info.
> > PAM: PAM_END OK.
> > PAM: Account Validation Failed - Rejecting User!
> >
> > in the smb log when the user tries to log onto the PDC.
> > If you run pwunconv to undo the shadow file (making the
> > system less secure) then the above pam config file
> > works.
> >
> > If however, we use the following pam.d/samba file
> >
> > auth            required        /lib/security/pam_pwdb.so nullok shadow
> > account         required        /lib/security/pam_pwdb.so
> > session         required        /lib/security/pam_pwdb.so
> > password        required        /lib/security/pam_pwdb.so
> >
> > we are able to get successful logons to a Samba PDC from
> > a win2k client either with or without shadow passwords.
> >
> > It's also a *bastard* to debug - pam isn't exactly verbose
> > when it's screwing up.
> >
> > Now either we *always* control the pam.d/samba file that is
> > used on install, or we skip this whole ugly mess and ship
> > with PAM *off* by default, and let those admins who want
> > it turn it on....
> >
> > What concerns me is shipping an rpm on Linux that *works*, out
> > of the box for approx. 100% of our users. If adding pam by
> > default takes that figure down to 99% then it's *NOT* worth
> > the support hassles.
> >
> > It has to be *bulletproof*. I'm not sure it is right now
> > due to the disparity in PAM modules/implementations on Linux
> > and Solaris boxes.
> >
> > Thoughts anyone ?
> >
> PAM is used on most linux distribution and Solaris box,
> so this may force many users to recompile.
> Wouldn't it be possibile to have PAM support turned on and off by a
> configuration switch in smb.conf, such as pam_support = Yes/No
> 
> compilation switch would remain to support non-PAM aware system, but
> such a switch will permit to ship samba binaries with PAM support and let
> decide the administrator if they want to enable PAM support or let samba
> run without PAM support as the default.
> 

Its called pam_permit, and its already a config option.  Simply set the
lines in your /etc/pam.d/samba or /etc/pam.conf to use pam_permit.so as
the module, and pam is instantly disabled.  (Don't do this for
authentications though - as this will open your server wide open).

It should be safe for the rest, as that basicly what we do when we don't
compile with pam, account and sesion checks just dissapear.

Andrew Bartlett
abartlet at pcug.org.au

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list