PAM and LDAP

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 30 13:07:49 GMT 2001 

Samba spends much of its day doing getpwnam lookups, even when it does
not make sense.  Its probably one of those that is failing.  I have been
looking at authentication generally, and PAM in particular for a major
rewrite - some of which is slowly creeping into the samba tree.  There
is no reason to do a getpwnam() call for PDC authentications, so finding
the problematic one shouldn't be too much of an issue.

However, if your not using plain-text domain logins, and I don't think
any MS client does this anymore, and samba doesn't support anyway (I
have a patch which fixes this), then you will need the --with-ldap
configure option, which is commented out until sombody gets it
functional.  (You will also need to get the NTLM hashes into ldap
somehow).

For smbd file-share logins (what smbclient uses) you will need local
accounts anyway, probably via nsswich, as samba must become that userid
at some stage...

Andrew Bartlett

Christian Barth wrote:
> 
> There have been a couple of mail about problems with samba PDC and
> pam on this list the last days. May be they are related to your
> problem.
> 
> Christian
> 
> > I have compiled and installed SAMBA 2.2.0 on a Red Hat 6.2 box.  SAMBA
> > was configured with the --with-pam option.  I have the nss_ldap package
> > installed.
> >
> > My goal is to use this SAMBA server as a PDC, and have it use PAM to
> > authenticate to our existing LDAP server (which already does
> > authentication for the E-mail system).  On this same Red Hat / SAMBA
> > box, I have for many months had a RADIUS daemon successfully
> > authenticating dialup users to that same LDAP server via PAM.
> >
> > However, with SAMBA, I'm unable to get smbclient to authenticate
> > successfully, except with usernames and passwords that exist on the
> > local Red Hat server -- for those, it works fine.  This is what
> > /etc/pam.d/samba contains (this file came with nss_ldap):
> >
> > #%PAM-1.0
> > auth       sufficient   /lib/security/pam_ldap.so
> > auth       required     /lib/security/pam_unix_auth.so try_first_pass
> > account    sufficient   /lib/security/pam_ldap.so
> > account    required     /lib/security/pam_unix_acct.so
> >
> > The SMB log says "Couldn't find user <username>", as if it isn't
> > checking the LDAP server, only the local user database.
> >
> > I'm sure I'm missing something simple, but does anyone have any
> > pointers?  Thanks!
> >
> > --
> >
> > Jefferson Davis Williams
> > Director of Computer and Network Services
> > Danville Area Community College
> > 2000 East Main Street
> > Danville, IL  61832
> > 217.443.8871
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> 
> _______________________________________________________________________
> In a world without walls and fences, who needs windows and gates? (SUN)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba mailing list