[Samba] Samba PDC trying rid null logins
Reed, Tameika
TReed at wa.aacisd.com
Tue Nov 18 01:56:08 GMT 2003
> We are trying to have linux authenticate to linux server running samba
> 3.0. We have the XP Pro, 6.2 redhat, and 7.3 redhat machines. They all
> authenticate to the linux server but we are having problems with blank
> passwords or the user can type any password. We are using pam modules for
> the authentication on the client machines.
> I have included the config files for the server and the client (smb.conf).
> I have also included the pam_modules setup on the clients. We want all
> the username and passwords stored on the server. There will not be any
> users on the clients their information will be pulled from the server.
> This includes telnet, ftp, and logins. We have got most of this working
> except for the blank passwords. We have configured this several different
> ways. This is our latest idea so this is what is in the lab right now.
>
> We have gotten that to work but we are having problems with null logins.
> In other words if I type a username and leave the password field blank I
> still can login. If I put in a password of any kind I still can get in.
> Also we have changed so that the null logins are not accepted ( at least
> we think) but if you attempted login repeatedly you can still get in by
> not typing a password or by typing any password. I am not sure if the
> samba PDC does cached logins if so I am not aware of how to turn this off
> if this is the case. I sending you my config file to see if you can tell
> me if I am going in the right direction and if not how can I correct the
> matter. This is a mixed environment so there are 6.2, 7.3 and windows xp
> pro machines in the setup. The information that I am sending you deals
> with the linux clients as redhat 6.2 with samba 2.2.8 and authenticating
> to redhat 7.3 with samba 3.0.0 on the server.
>
> I am not sure if the pam modules need to be upgraded for redhat 6.2 or if
> this is just totally impossible?
> I did not include the nsswitch.conf file but it is configured as follows
>
>
> passwd files winbind
> groups files winbind
> hosts files winbind
>
> The iptables and ipchains are turned off on the server and client.
>
>
>
> <<ftp.txt>> <<sshd.txt>> <<login.txt>> <<passwd.txt>> <<samba.txt>>
> <<smb.conf>> <<su.txt>> <<smb_server.conf>>
>
>
> Thanks
>
> Tameika Reed
>
-------------- next part --------------
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#this line was changed should be pam_pwdb
auth sufficient /lib/security/pam_winbind.so shadow
auth required /lib/security/pam_shells.so
#this line was changed should be pam_pwdb
account required /lib/security/pam_winbind.so
session required /lib/security/pam_pwdb.so
-------------- next part --------------
#%PAM-1.0
auth required /lib/security/pam_winbind.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_winbind.so shadow use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
-------------- next part --------------
#%PAM-1.0
#Requires logins to be from tty
#auth required /lib/security/pam_securetty.so
#Passes enviroment variables
#auth required /lib/security/pam_env.so
#A domain account is sufficient to bypass the rest of the
#auth lines
auth sufficient /lib/security/pam_winbind.so
#if the user doesn't have a domain account then check
#for local unix accounts (root, or unix-smb synced accounts)
auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok
#If everything above fails, deny
#auth required /lib/security/pam_deny.so
#If the above auth lines fail, deny all logins
auth required /lib/security/pam_nologin.so
#Check domain account?
account sufficient /lib/security/pam_winbind.so
#account required /lib/security/pam_unix.so
#account required /lib/security/pam_deny.so
#password required /lib/security/pam_cracklib.so retry=3
#password sufficient /lib/security/pam_unix.so use_authtok md5 shadow
#password required /lib/security/pam_deny.so
#Set user limits to resources, ie. cpu, memory, processes, # of
#concurrent logins, etc.
#session required /lib/security/pam_limits.so
#session required /lib/security/pam_unix.so
#If the user doesn't have a home directory, then one will be made
#in /home/username
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umaks=0022
session optional /lib/security/pam_console.so
-------------- next part --------------
#%PAM-1.0
auth required /lib/security/pam_winbind.so shadow
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=3
password required /lib/security/pam_unix.so use_authtok md5 shadow
-------------- next part --------------
auth required pam_winbind.so
account required pam_winbind.so
session required pam_mkhomedir.so skel=/etc/samba/skel umask=0022
password required pam_unix.so
-------------- next part --------------
#%PAM-1.0
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/security/suok
auth required /lib/security/pam_wheel.so use uid
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_xauth.so
More information about the samba
mailing list