W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 23 14:47:13 GMT 2001 

Steve Langasek wrote:
> 
> On Tue, 24 Apr 2001, Andrew Bartlett wrote:
> 
> > I 100% disagree.  It is fundamentally broken to allow a user to access a
> > server's resources if the admin has specifically banned them from doing
> > just that.  Every other authentication service on the server obeys this
> > directive, just not samba.  Added to that, samba claims to have pam
> > support, and admins expect that to be implemented properly.  (Hence much
> > of my hard work over the last little while, and I have more PAM patches
> > waiting for submission).
> 
> > What we need is documentation. (I wrote a change for one of the
> > manpages, but I think it got left/stuck on tridge's computer).
> 
> > We have only had 3 cases so far (that I have seen), and it only affected
> > domain logons - they were marked as experimental anyway, and only from
> > Win2k.  I think there might be some small weird interaction in the
> > presentation of the username to PAM in that case, but I haven't got to
> > the bottom of it.
> 
> The logfile snippets Percy provided clearly show that the username being
> rejected by PAM is the correct username (unless you're proposing that Win2k
> has mangled the name in such a way that there are trailing invisible garbage
> chars in the username string, which don't show up in the logfile and don't
> prevent Samba from authenticating it, but which do prevent PAM from resolving
> the username?

This is exactly what I'm suggesting, as the other person with the same
problem reported NO difficulties logging in via a normal network drive
map or Win98, and NT4 (no SP) works fine from my VMware session here.  I
don't have any other explaination, unfortunetly.

> 
> Percy,
> If you change the line
> 
> samba   account required        /usr/lib/security/pam_unix.so.1
> 
> in your /etc/pam.conf to read
> 
> samba   account required        /usr/lib/security/pam_permit.so.1
> 
> instead, does this give better results?  Theoretically, this change should
> restore Samba's previous behavior as of 2.0.7.  (Assuming that you have
> /usr/lib/security/pam_permit.so.1 on your system; I admit that I'm rather
> ignorant of what modules Solaris includes.)
> 
> Regards,
> Steve Langasek
> postmodern programmer

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list