[Samba] Problems with Samba 2.2.3a DC and PAM
Andrew Bartlett
abartlet at pcug.org.au
Tue Mar 5 12:41:13 GMT 2002
"Richter, Gary" wrote:
>
> Basically, this is going to be just a question to see if what I want to do
> can be done, since I have had no luck in doing it so far...
>
> I have set up a 2.2.3a domain controller, and I can join Windows XP clients
> to the domain, and log in as domain users.
> I want to use PAM to enforce account restrictions, such as login time using
> pam_time. I currently have the *stacked* version of the /etc/pam.d/samba
> file installed, and I have modified my /etc/pam.d/system-auth file to look
> as such:
>
> --cut
>
> account requisite /lib/security/pam_time.so
> account required /lib/security/pam_unix.so
>
> --cut
>
> I have a feeling that the restrictions are working partially, since in my
> syslog I am getting log entries to the effect of "'user' is not authorized
> to log in at this time"... however, Windows is still allowing me to login as
> if nothing is wrong. The only side effect of logging in my XP workstation
> outside the permitted times is that I'm not able to connect to shares, like
> the one defined for roaming profiles... Windows bitches about not being able
> to load my profile.
>
> Does anyone have any ideas? Has this been done before? Can it be done, or
> will I be forced to actually use a Win2k Domain Controller when I would
> rather not?
This is meant to work, but it could well be buggy, or the NTSTATUS code
we are sending might not match up with the effect desired. You could
try HEAD (Samba 3.0 alpha) as it has a compleatly re-written
authentication subsystem.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list