[Samba] Authentication via PAM posixAccounts in RH EL ASv3

patrick at naturecare.com.au patrick at naturecare.com.au
Mon Aug 9 07:57:28 GMT 2004 

To anyone who can help,

I'm trying to setup samba to authenticate through PAM (ldap) but can't
find /consistent/ documentation for this.

POP/IMAP/ and local login works via pam_ldap, and samba was compiled
--with-pam.

Would appreciate hearing from anyone who has had any joy with this setup.

           *****************************************

My smb.conf is:

[global]
workgroup = NCC
server string = Fileserver
log file = /usr/local/samba/var/log.%m
log level = 5
security = user
obey pam restrictions = yes

#============================ Share Definitions
[test]
   comment = test
   path = /exports/test
   valid users = patrick
   public = no
   writable = yes
   printable = no
   create mask = 0765


My nsswitch.conf is:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files ldap
netmasks:   files ldap
networks:   files ldap
protocols:  files ldap
rpc:        files ldap
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus


And /etc/pam.d/system-auth is:

#%PAM-1.0
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so
auth        required      /lib/security/$ISA/pam_unix.so nullok
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
use_authtok
password    required    /lib/security/$ISA/pam_ldap.so nullok
use_first_pass use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_env.so
session     optional      /lib/security/$ISA/pam_ldap.so


/etc/ldap.conf is :

# PADL Software
# http://www.padl.com
#
host 10.79.52.1
base dc=naturecare,dc=com,dc=au
scope sub
timelimit 30
bind_timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd         ou=People,dc=naturecare,dc=com,dc=au?sub
nss_base_shadow         ou=People,dc=naturecare,dc=com,dc=au?sub
nss_base_group          ou=Group,dc=naturecare,dc=com,dc=au?sub
ssl no
pam_password md5


   *********************************
The log.smbd shows :

[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info_map(225)
  make_user_info_map: Mapping user [NCC]\[patrick] from workstation
[FILESERVER][2004/08/09 17:54:10, 5]
auth/auth_util.c:make_user_info(133)
  attempting to make a user_info for patrick (patrick)
[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info(143)
  making strings for patrick's user_info struct
[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info(185)
  making blobs for patrick's user_info struct
[2004/08/09 17:54:10, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[NCC]\[patrick]@[FILESERVER] with the new password interface
[2004/08/09 17:54:10, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [FILESERVER]\[patrick]@[FILESERVER]
[2004/08/09 17:54:10, 5] lib/util.c:dump_data(1864)
  [000] D8 07 19 ED 58 0B 86 2C                           ....X..,
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/08/09 17:54:10, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/08/09 17:54:10, 5] passdb/pdb_smbpasswd.c:getsmbfilepwent(517)
  getsmbfilepwent: end of file reached.
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 3] auth/auth_sam.c:check_sam_security(202)
  check_sam_security: Couldn't find user 'patrick' in passdb file.
[2004/08/09 17:54:10, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: sam authentication for user [patrick] FAILED with
error NT_STATUS_NO_SUCH_USER
[2004/08/09 17:54:10, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [patrick] -> [patrick]
FAILED with error NT_STATUS_NO_SUCH_USER
[2004/08/09 17:54:10, 5] auth/auth_util.c:free_user_info(1298)
  attempting to free (and zero) a user_info structure
[2004/08/09 17:54:10, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
[2004/08/09 17:54:10, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2004/08/09 17:54:10, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/08/09 17:54:10, 5] smbd/uid.c:change_to_root_user(282)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/08/09 17:54:10, 2] smbd/server.c:exit_server(568)
  Closing connections
[2004/08/09 17:54:10, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2004/08/09 17:54:10, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
[2004/08/09 17:54:10, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2004/08/09 17:54:10, 3] smbd/server.c:exit_server(611)
  Server exit (normal exit)



which has me thinking that the account doews not exist but slapcat shows...

dn: uid=patrick,ou=People,dc=naturecare,dc=com,dc=au
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
host: *
uid: patrick
uidNumber: 555
givenName: Patrick
sn: Taylor
cn: Patrick Taylor
homeDirectory: /home/patrick
ou: Administration
o: Nature Care College
creatorsName: cn=root,dc=naturecare,dc=com,dc=au
createTimestamp: 20040602032309Z
loginShell: /bin/bash
gecos: Patrick Taylor
gidNumber: 508
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-921662641-1388859227-794065773-2110
sambaLMPassword: 18957BF98BF20D09AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 34BC4A5C9EAA7E02B5A0E4204DD37833
sambaPwdLastSet: 1091559820
sambaPwdMustChange: 1095447820
userPassword:: ******deleted for email******
shadowLastChange: 12635
modifiersName: cn=root,dc=naturecare,dc=com,dc=au
modifyTimestamp: 20040805224806Z


       ******************************************

More information about the samba mailing list