Install problems with RedHat 7.0 RPM for 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 23 11:53:14 GMT 2001 

Christian Barth wrote:
> 
> > Martin Sapsed wrote:
> > >
> > > Andrew Bartlett wrote:
> > > > This is your problem.  If you compile with PAM (the RPMS are), then you
> > > > have indicated that you want to use PAM.  Simply setup a correct
> > > > /etc/pam.d/samba and all will be well.  The reason that encrypted
> > > > passwords will fail is that they now check with PAM to see if the
> > > > account is disabled.  (PAM can't handle the encrypted password, but is
> > > > still in a position to say yea or nay to the user based on account
> > > > status, time of day and the like).
> > >
> > > Sorry to be a thicko but I've never quite worked out what a "correct
> > > pam.d/samba" is! We use NIS for passwd maps and whenever I've used a samba
> > > RPM (built with PAM as I suspected) I get a delay during authentication
> > > while PAM has a think and says nope - don't know him before the match in
> > > the NIS is found. I usually end up building from source as a result. Are
> > > there any repositories of pam.d/samba's for particular setups?
> >
> > Probably the best examples are the ones on your own system.  For
> > example, what does /etc/pam.d/login say, /etc/pam.d/ssh,
> > /etc/pam.d/telent and the like.  Make sure you have auth, account,
> > password and session lines.
> >
> > On my RedHat 7.0 + errata development box, for example, I just use
> > pam_stack for all services, but pam_unix has also worked in the past.
> 
> /etc/pam.d/samba can be as simple as:
> auth    required        /lib/security/pam_pwdb.so nullok shadow
> account required        /lib/security/pam_pwdb.so
> 
> Which is the default of a old RH system. This basicaly tells pam that
> the samba connection needs authentisation and account from
> pam_pwdb.so. pam_pwdb.so then checks the locale passwd datebase
> (/etc/passwd), NIS or what ever is configured in /etc/nsswitch.conf.
> I just saw, there is a /etc/pwdb.conf invoced to.
> 

Newer versions of samba (2.2.1) will need a session line too (can just
be pam_permit.so), and a password line is needed if my PAM based unix
password sync stuff ever hits the tree.

But basicly, yes.  It can be that simple.  Configuring PAM is not the
black art some people make out (at least not as far as I have seen). :-)

Andrew Bartlett
-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba mailing list