[Samba] Setting up PDC with PAM

Andrew Bartlett abartlet at samba.org
Tue Mar 11 11:43:22 GMT 2003 

On Mon, 2003-03-10 at 17:09, Paul Cabot wrote:
> According to the documentation on setting up Samba to be a PDC.  It says 
> that you have to enable encrypted passwords for it to work!
> 
> Now for Samba with PAM to work the documentation says that you can't 
> have encrypted passwords enabled!

Correct, for authentication.  The 'obey pam restrictions' is about
'account' and 'session' properties like 'expired' and 'too many users'.

> So does that mean that I can't set up Samba has a PDC and use PAM to 
> authenticate the users!

Yes.

> Reason I ask is I did have Samba set up as a PDC with 3 windows client 
> computers, 2 with Windows 2000, one with Windows XP!
> 
> I then deciced to try and use PAM so I went into the registry of the 3 
> clients and set it to enableplaintextpasswords = 1

This won't affect domain logons from NT or above

> And I set Samba to plain text passwords and to obey pam restrictions!
> 
> Pam now works Ie if I change the password with smbpasswd the unix 
> password is changed as well!
> 
> But the problem I'm having is!
> 
> When a I logon to the domain, My username and Password are excepted but 
> then I get a message on windows saying that it couldn't access my 
> profile and will use a local profile, also it mentions that the username 
> and password might not be correct!  Once I have the windows desktop I 
> can't access my home network drive (The one that you set Samba to), but 
> if I go into the network area and access the domain there and then 
> access the server it asks for my username and password and voila it 
> works I can access the profiles and home shares!

If you have your passwords in smbpasswd, then just set 'encrypt
passwords = yes' and by happy.

> Here is my smb.conf file
> 
> [global]
> 	workgroup = DOMAIN
> 	netbios name = CABOTP
> 	server string = Samba Server %v %h
> 	obey pam restrictions = Yes
> 	passwd program = /usr/bin/passwd %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
> 	username map = /etc/samba/smbusers
> 	unix password sync = Yes
> 	log level = 1
> 	log file = /var/log/samba/%m.log
> 	max log size = 50
> 	time server = Yes
> 	printcap name = lpstat
> 	logon script = %U.vbs
> 	logon path = \\%L\Profiles\%U
> 	logon drive = Z:
> 	logon home = \\%L\%U
> 	domain logons = Yes
> 	os level = 64
> 	preferred master = Yes
> 	domain master = Yes
> 	wins support = Yes
> 	hosts allow = 192.168.0.0/24, 127.0.0.1
> 	printing = lprng
> 
> [homes]
> 	comment = Home Directories
> 	valid users = %S
> 	admin users = root,paul
> 	read only = No
> 	create mask = 0664
> 	directory mask = 0775
> 	strict allocate = Yes
> 	strict locking = Yes
> 
> [netlogon]
> 	comment = Network Logon Service
> 	path = /var/spool/samba/netlogon
> 	write list = root
> 
> [Profiles]
> 	path = /var/spool/samba/profiles
> 	read only = No
> 	csc policy = disable
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030311/e7d5fde8/attachment.bin

More information about the samba mailing list