[Samba] PAM session trouble

Andrew Bartlett abartlet at samba.org
Mon Aug 5 14:41:19 GMT 2002

Buchan Milne wrote:
> >
> > Well, there isn't any point.  In Samba '2.999' aka HEAD snapshot Samba
> > will never call PAM for authenticaion when 'encrypt passwords = yes',
> > and while it will use pam for 'account' controls, it won't gain you
> > anything - its the same checks that are already done.
> Well, in 2.2.5, I can use "obey pam restrictions = yes" with winbind to
> create home directories via pam_mkhomedir. Are you saying
> 1)This won't work in 3.0
> 2)Samba does this (creating the homedir) already
> 3)"obey pam restrictions = yes" is effectively set (thus my:
> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022
> in /etc/pam.d/samba will work anyway)?

Oops.  Make that 'account and session'.  Samba will contact PAM for
account and session checking, but using pam_smbpass for 'session' won't
work and 'account' is degenerate (double-checking).  The only purpose
would be if you were using SWAT, and had a particular reason you wanted
to use 'samba' rather than system passwords for that service.

(and yes, they probably should use a different PAM config file).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list