[Samba] How do I get pam_mkhomedir to work

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Wed Feb 4 16:21:24 GMT 2004

 I just got this working today, thanks to Andy from the BBC.  Here is what
my pam.conf looks like, warts and all!

#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login   auth required           pam_winbind.so
login   auth requisite          pam_authtok_get.so.1 debug
#login   auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
login   auth sufficient         pam_dhkeys.so.1 debug
login   auth sufficient         pam_unix_auth.so.1 debug
login   auth sufficient         pam_dial_auth.so.1 debug
#login   auth sufficient         /usr/lib/security/pam_winbind.so.1 debug

# rlogin service (explicit because of pam_rhost_auth)
rlogin  auth required           pam_winbind.so
rlogin  auth sufficient         pam_rhosts_auth.so.1 debug
rlogin  auth requisite          pam_authtok_get.so.1 debug
rlogin  auth sufficient         pam_dhkeys.so.1 debug
rlogin  auth sufficient         pam_unix_auth.so.1 debug
#rlogin auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh     auth sufficient         pam_rhosts_auth.so.1 debug
rsh     auth required           pam_unix_auth.so.1 debug
# PPP service (explicit because of pam_dial_auth)
ppp     auth requisite          pam_authtok_get.so.1 debug
ppp     auth required           pam_dhkeys.so.1 debug
ppp     auth required           pam_unix_auth.so.1 debug
ppp     auth required           pam_dial_auth.so.1 debug
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other   auth sufficient         pam_winbind.so
other   auth requisite          pam_authtok_get.so.1 debug
other   auth sufficient         pam_dhkeys.so.1 debug
other   auth sufficient         pam_unix_auth.so.1 debug
#other  auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd  auth required           pam_passwd_auth.so.1 debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron    account required        pam_projects.so.1 debug
cron    account required        pam_unix_account.so.1 debug
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other   account sufficient      pam_winbind.so
other   account requisite       pam_roles.so.1 debug
other   account sufficient      pam_projects.so.1 debug
other   account sufficient      pam_unix_account.so.1 debug
#other  account sufficient      /usr/lib/security/pam_winbind.so.1 debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other   session required        pam_mkhomedir.so skel=/etc/skel umask=0022
other   session required        pam_unix_session.so.1 debug
other   session sufficient      /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#other  session required        pam_mkhomedir.so.1 debug skel=/etc/skel
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
other   password required       pam_dhkeys.so.1 debug
other   password requisite      pam_authtok_get.so.1 debug
other   password requisite      pam_authtok_check.so.1 debug
other   password required       pam_authtok_store.so.1 debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

-----Original Message-----
From: Buchan Milne [mailto:bgmilne at obsidian.co.za] 
Sent: 04 February 2004 16:17
To: Tim Simpson
Cc: samba at lists.samba.org
Subject: Re: [Samba] How do I get pam_mkhomedir to work

On 3 Feb 2004, Tim Simpson wrote:

> Message follows this disclaimer
> ----------------------------------------------------------------------
> ----------------------------
> This email and any files transmitted with it is confidential and intended
> for the person or organisation to whom it is addressed. 

This mail is not addressed to me, may I read it? ;-)

> Sorry if this is a simple question but I have been struggling for many 
> days trying to samba-3.0.2rc2 working with a win2k AD
> wbinfo -t works
> wbinfo -u works
> wbinfo -g works
> getent passwd username works
> sharing dirs works
> in fact everything seems to work with the exception of a users 
> directory being created using pam_mkhomedir.so
> I am running on Redhat 9   with Samba 3.0.2rc2
> Samba was built using the following options   configure --with-quotas
> I presume it is something wrong with my pam config  which follows
> #%PAM-1.0
> auth       required     pam_securetty.so
> #auth       required    pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so
> auth       required     pam_env.so
> auth       required     pam_unix.so nullok use_first_pass
> account    sufficient pam_winbind.so
> account    required pam_unix.so
> #account    required    pam_stack.so service=system-auth
> #password   required    pam_stack.so service=system-auth
> #session    required    pam_stack.so service=system-auth
> #session    optional    pam_console.so
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
> umask=0022 password required pam_unix.so nullok obscure min=4 max=8 
> session required pam_unix.so session optional pam_lastlog.so
> session optional pam_motd.so
> session optional pam_mail.so standard noenv
> I have tried many varations of this file from various postings but all 
> to no avail
> the relevant part of smb.conf follow
> # Global parameters
> [global]
>         workgroup = LEARNINGDOMAIN
>         realm = LEARNINGDOMAIN.ORG
>         server string = %L running Samba %v
>         security = ADS
>         obey pam restrictions = Yes
>         password server = pdc.learningdomain.org
>         passwd program = /usr/bin/passwd %u
>         unix password sync = Yes
>         log level = 3
>         log file = /var/log/samba/log.%m
>         preferred master = No
>         local master = No
>         domain master = No
>         dns proxy = No
>         ldap ssl = no
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         winbind separator = +
> [shares]
>         force create mode = 0660
>         force directory mode = 0770
> [homes]
>         path = /home/%D/%U
>         browseable = no
>         read only = no
>         create mask = 0600
>         directory mask = 0700
>         writable = yes
> if I try su - DOMAIN+Username from a shell prompt
> I get the following reply
> [root at store01 pam.d]# su - LEARNINGDOMAIN+Administrator
> su: warning: cannot change directory to 
> /home/LEARNINGDOMAIN/Administrator: No such file or directory 
> -bash-2.05b$

pam_mkhomedir doesn't make deep directories ... does /home/LEARNINGDOMAIN 

And, you don't mention which pam config file you are editing, but it is 
most likely more useful to do this in system-auth, then if you set 'obey 
pam restrictions = yes' in smb.conf, samba will even make the home 
directories (or any app pam application with session support ...


To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list