[Samba] Problems with Samba 2.2.3a DC and PAM

Richter, Gary Gary_Richter at nfuel.com
Wed Mar 6 16:31:04 GMT 2002


I managed to get this working. The fix (whether it's the best way to do this
or not would require input from someone with more PAM knowledge) was this:

I modified my /etc/pam.d/samba (NOT /etc/pam.d/system-auth) file to look as
such:

--cut

account         required	   /lib/security/pam_time.so
account         required         /lib/security/pam_unix.so

--cut

With this configuration, entries can be made in the /etc/security/time.conf
containing the desired time restrictions. The service referenced for these
restrictions would be "samba".

If logging on outside of the permitted times, Windows kicks back the error
"Unable to login due to an account restriction".

Problem solved as far as I'm concerned. Thanks :)

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at pcug.org.au]
Sent: Tuesday, March 05, 2002 12:34 PM
To: Richter, Gary
Cc: samba at lists.samba.org
Subject: Re: [Samba] Problems with Samba 2.2.3a DC and PAM


"Richter, Gary" wrote:
> 
> Basically, this is going to be just a question to see if what I want to do
> can be done, since I have had no luck in doing it so far...
> 
> I have set up a 2.2.3a domain controller, and I can join Windows XP
clients
> to the domain, and log in as domain users.
> I want to use PAM to enforce account restrictions, such as login time
using
> pam_time. I currently have the *stacked* version of the /etc/pam.d/samba
> file installed, and I have modified my /etc/pam.d/system-auth file to look
> as such:
> 
> --cut
> 
> account         requisite       /lib/security/pam_time.so
> account         required                /lib/security/pam_unix.so
> 
> --cut
> 
> I have a feeling that the restrictions are working partially, since in my
> syslog I am getting log entries to the effect of "'user' is not authorized
> to log in at this time"... however, Windows is still allowing me to login
as
> if nothing is wrong. The only side effect of logging in my XP workstation
> outside the permitted times is that I'm not able to connect to shares,
like
> the one defined for roaming profiles... Windows bitches about not being
able
> to load my profile.
> 
> Does anyone have any ideas? Has this been done before? Can it be done, or
> will I be forced to actually use a Win2k Domain Controller when I would
> rather not?

This is meant to work, but it could well be buggy, or the NTSTATUS code
we are sending might not match up with the effect desired.  You could
try HEAD (Samba 3.0 alpha) as it has a compleatly re-written
authentication subsystem.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list