winbindd and ftp

=?gb2312?B?Y2FybC5odWFuZyBb/FO9qORoXQ==?= carl.huang at mic.com.tw
Thu Dec 20 19:08:03 GMT 2001 

Hello,

The config file is really not difficult to config. My machine is Redhat
linux 7.2, samba2.2.2.
See files below. It contains :/etc/samba/smb.conf, /etc/nsswitch.conf,
/etc/pam.d/login,/etc/pam.d/ftp.

About ftp, it works with pam. Because if  I make directory /home/testftp1
manually, i can ftp in with user naspdc+testftp1. Perhaps ftp doesn't work
with session item. So if directory doesn't exist, how can user
ftp in ?  Is there a default directory  be configured in  /etc/ftpaccess ?
Help!


About my successful process:
1.First make the PDC(a win2000 server) work.
2.complie samba2.2.2 with --with-winbind(also with other items) and install
it.  config /etc/samba/smb.conf.
3.join samba to domain. 
4.Add users into PDC.
5.config /etc/nsswitch.conf and /etc/pam.d/login
6.restart /etc/rc.d/init.d/smb.
7.start winbindd. ----- winbindd -i -d 3 -s /etc/samba/smb.conf ( you can
see how it works).
8. use "wbinfo" and "getent" to test whether winbindd works.
9. I can telnet the machine with samba, using naspdc+username or
naspdc\username.
10.I can "smbclient  //smbhost/myshare -U naspdc\\username".  (naspdc is
domain name).
11.I also  can access samba from win2000Pro. If i had logined the domain,
needn't password anymore. 

# /etc/samba/smb.conf

[global]
workgroup = naspdc
server string = Samba Server
netbios name = naswb
guest account = ftp
log file = /var/log/samba/log.%m
log level = 3
max log size = 0

security = domain
password server = *

password level = 4
username level = 4

encrypt passwords = yes
winbind separator = +
	winbind cache time = 10
	template shell = /bin/bash
	template homedir = /home/%U
	winbind uid = 10000-20000
	winbind gid = 10000-20000
	winbind enum users = yes
	winbind enum  groups = yes
 username map = /etc/samba/smbusers

 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   wins server = 10.83.0.253
   dns proxy = no 

#============================ Share Definitions
==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   create mode = 0664
   directory mode = 0775
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

[myshare]
   comment = test folder
   path = /home/share
  ; valid users = asdf administrator hjf
 ;  public = no
   writable = yes
;   printable = no
;   create mask = 0765



# /etc/nsswitch.conf
passwd:    files winbind  nisplus
shadow:    files winbind  nisplus
group:     files winbind  nisplus
hosts:      files nisplus dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files nisplus
rpc:        files
services:   files nisplus
netgroup:   files nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus


#/etc/pam.d/login
#%PAM-1.0(login)
#auth       required	/lib/security/pam_securetty.so
auth	   sufficient	/lib/security/pam_winbind.so
auth       required	/lib/security/pam_stack.so service=system-auth
#auth       required	/lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
#session	  sufficient	/lib/security/pam_winbind.so
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so
session   required	/lib/security/pam_mkhomedir.so


#/etc/pam.d/ftp-
#%PAM-1.0(ftp)
auth       required	/lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth	  sufficient	/lib/security/pam_winbind.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_shells.so
account    sufficient	/lib/security/pam_winbind.so
account    required	/lib/security/pam_stack.so service=system-auth
session    sufficient   /lib/security/pam_mkhomedir.so
session    required	/lib/security/pam_stack.so service=system-auth



------------------------------------------------
------------------------------------------------

On Thursday 20 December 2001 08:38, carl.huang at mic.com.tw wrote:
> Hello,
>
> I setup samba2.2.2 with winbind. samba is a member of  domain with
> security=domain. Now both work well.
> Since there is no user in /etc/passwd, and user information gets from
PDC(a
> win2000 server).

Wow! This is what I want to achieve but can't! As soon as I start winbindd
domain logins are not accepted anymore.

Can you send me your smb.conf?

> The question is: there is no /home/xxx directory too.(I don't want to make
> it manually).
>
> I can configure /etc/pam.d/login with :
> session required    /lib/security/pam_mkhomedir.
> so  when user(naspdc+xxx ) first login , the machine will auotmatically
> make /home/xxx directory. So it's no problem.(naspdc is domain name).
>
> But when user(naspdc+testftp1) first ftp to this machine, the machine
says:
> 530 User naspdc+testftp1: can't change directory to /home/testftp1.
> Login failed.  (Because there is no directory /home/testftp1,   naspdc is
> domain name).
>
> I also configure /etc/pam.d/ftp with pam_mkhomedir.so but it doesn't work.

Looks like your ftp server program does not use PAM...
how does it accepts DOMAIN+user usernames then? I'm not that familiar with 
PAM but could it be that ftp does not use 'session' line, only 'passwd' in 
PAM conf file? Can you try to verify this?
--
vda

More information about the samba mailing list