[Samba] Authentication via PAM posixAccounts in RH EL ASv3
patrick at naturecare.com.au
patrick at naturecare.com.au
Mon Aug 9 07:57:28 GMT 2004
To anyone who can help,
I'm trying to setup samba to authenticate through PAM (ldap) but can't
find /consistent/ documentation for this.
POP/IMAP/ and local login works via pam_ldap, and samba was compiled
--with-pam.
Would appreciate hearing from anyone who has had any joy with this setup.
*****************************************
My smb.conf is:
[global]
workgroup = NCC
server string = Fileserver
log file = /usr/local/samba/var/log.%m
log level = 5
security = user
obey pam restrictions = yes
#============================ Share Definitions
[test]
comment = test
path = /exports/test
valid users = patrick
public = no
writable = yes
printable = no
create mask = 0765
My nsswitch.conf is:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files ldap
netmasks: files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
And /etc/pam.d/system-auth is:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_ldap.so
auth required /lib/security/$ISA/pam_unix.so nullok
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
use_authtok
password required /lib/security/$ISA/pam_ldap.so nullok
use_first_pass use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_env.so
session optional /lib/security/$ISA/pam_ldap.so
/etc/ldap.conf is :
# PADL Software
# http://www.padl.com
#
host 10.79.52.1
base dc=naturecare,dc=com,dc=au
scope sub
timelimit 30
bind_timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=People,dc=naturecare,dc=com,dc=au?sub
nss_base_shadow ou=People,dc=naturecare,dc=com,dc=au?sub
nss_base_group ou=Group,dc=naturecare,dc=com,dc=au?sub
ssl no
pam_password md5
*********************************
The log.smbd shows :
[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info_map(225)
make_user_info_map: Mapping user [NCC]\[patrick] from workstation
[FILESERVER][2004/08/09 17:54:10, 5]
auth/auth_util.c:make_user_info(133)
attempting to make a user_info for patrick (patrick)
[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info(143)
making strings for patrick's user_info struct
[2004/08/09 17:54:10, 5] auth/auth_util.c:make_user_info(185)
making blobs for patrick's user_info struct
[2004/08/09 17:54:10, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[NCC]\[patrick]@[FILESERVER] with the new password interface
[2004/08/09 17:54:10, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [FILESERVER]\[patrick]@[FILESERVER]
[2004/08/09 17:54:10, 5] lib/util.c:dump_data(1864)
[000] D8 07 19 ED 58 0B 86 2C ....X..,
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/08/09 17:54:10, 3] smbd/uid.c:push_conn_ctx(351)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/08/09 17:54:10, 5] passdb/pdb_smbpasswd.c:getsmbfilepwent(517)
getsmbfilepwent: end of file reached.
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 3] auth/auth_sam.c:check_sam_security(202)
check_sam_security: Couldn't find user 'patrick' in passdb file.
[2004/08/09 17:54:10, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [patrick] FAILED with
error NT_STATUS_NO_SUCH_USER
[2004/08/09 17:54:10, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [patrick] -> [patrick]
FAILED with error NT_STATUS_NO_SUCH_USER
[2004/08/09 17:54:10, 5] auth/auth_util.c:free_user_info(1298)
attempting to free (and zero) a user_info structure
[2004/08/09 17:54:10, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
[2004/08/09 17:54:10, 5] lib/gencache.c:gencache_shutdown(88)
Closing cache file
[2004/08/09 17:54:10, 5] libsmb/namecache.c:namecache_shutdown(79)
namecache_shutdown: netbios namecache closed successfully.
[2004/08/09 17:54:10, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/08/09 17:54:10, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/08/09 17:54:10, 5] smbd/uid.c:change_to_root_user(282)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/08/09 17:54:10, 2] smbd/server.c:exit_server(568)
Closing connections
[2004/08/09 17:54:10, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/08/09 17:54:10, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not
exist.
[2004/08/09 17:54:10, 5] smbd/oplock.c:receive_local_message(107)
receive_local_message: doing select with timeout of 1 ms
[2004/08/09 17:54:10, 3] smbd/server.c:exit_server(611)
Server exit (normal exit)
which has me thinking that the account doews not exist but slapcat shows...
dn: uid=patrick,ou=People,dc=naturecare,dc=com,dc=au
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
host: *
uid: patrick
uidNumber: 555
givenName: Patrick
sn: Taylor
cn: Patrick Taylor
homeDirectory: /home/patrick
ou: Administration
o: Nature Care College
creatorsName: cn=root,dc=naturecare,dc=com,dc=au
createTimestamp: 20040602032309Z
loginShell: /bin/bash
gecos: Patrick Taylor
gidNumber: 508
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-921662641-1388859227-794065773-2110
sambaLMPassword: 18957BF98BF20D09AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 34BC4A5C9EAA7E02B5A0E4204DD37833
sambaPwdLastSet: 1091559820
sambaPwdMustChange: 1095447820
userPassword:: ******deleted for email******
shadowLastChange: 12635
modifiersName: cn=root,dc=naturecare,dc=com,dc=au
modifyTimestamp: 20040805224806Z
******************************************
More information about the samba
mailing list