[Samba] How do I get pam_mkhomedir to work
Ganguly, Sapan
Sapan.Ganguly at thalesgroup.com
Wed Feb 4 16:21:24 GMT 2004
I just got this working today, thanks to Andy from the BBC. Here is what
my pam.conf looks like, warts and all!
#
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth required pam_winbind.so
login auth requisite pam_authtok_get.so.1 debug
#login auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass debug
login auth sufficient pam_dhkeys.so.1 debug
login auth sufficient pam_unix_auth.so.1 debug
login auth sufficient pam_dial_auth.so.1 debug
#login auth sufficient /usr/lib/security/pam_winbind.so.1 debug
try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth required pam_winbind.so
rlogin auth sufficient pam_rhosts_auth.so.1 debug
rlogin auth requisite pam_authtok_get.so.1 debug
rlogin auth sufficient pam_dhkeys.so.1 debug
rlogin auth sufficient pam_unix_auth.so.1 debug
#rlogin auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1 debug
rsh auth required pam_unix_auth.so.1 debug
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1 debug
ppp auth required pam_dhkeys.so.1 debug
ppp auth required pam_unix_auth.so.1 debug
ppp auth required pam_dial_auth.so.1 debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth sufficient pam_winbind.so
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth sufficient pam_unix_auth.so.1 debug
#other auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1 debug
cron account required pam_unix_account.so.1 debug
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_winbind.so
other account requisite pam_roles.so.1 debug
other account sufficient pam_projects.so.1 debug
other account sufficient pam_unix_account.so.1 debug
#other account sufficient /usr/lib/security/pam_winbind.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_mkhomedir.so skel=/etc/skel umask=0022
other session required pam_unix_session.so.1 debug
other session sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass debug
#other session required pam_mkhomedir.so.1 debug skel=/etc/skel
umask=0022
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 debug
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
-----Original Message-----
From: Buchan Milne [mailto:bgmilne at obsidian.co.za]
Sent: 04 February 2004 16:17
To: Tim Simpson
Cc: samba at lists.samba.org
Subject: Re: [Samba] How do I get pam_mkhomedir to work
On 3 Feb 2004, Tim Simpson wrote:
> Message follows this disclaimer
> ----------------------------------------------------------------------
> ----------------------------
> This email and any files transmitted with it is confidential and intended
solely
> for the person or organisation to whom it is addressed.
This mail is not addressed to me, may I read it? ;-)
> Sorry if this is a simple question but I have been struggling for many
> days trying to samba-3.0.2rc2 working with a win2k AD
>
> wbinfo -t works
> wbinfo -u works
> wbinfo -g works
>
> getent passwd username works
>
> sharing dirs works
>
> in fact everything seems to work with the exception of a users
> directory being created using pam_mkhomedir.so
>
> I am running on Redhat 9 with Samba 3.0.2rc2
>
> Samba was built using the following options configure --with-quotas
--with-pam
>
> I presume it is something wrong with my pam config which follows
>
> #%PAM-1.0
> auth required pam_securetty.so
> #auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> auth sufficient pam_winbind.so
> auth required pam_env.so
> auth required pam_unix.so nullok use_first_pass
> account sufficient pam_winbind.so
> account required pam_unix.so
> #account required pam_stack.so service=system-auth
> #password required pam_stack.so service=system-auth
> #session required pam_stack.so service=system-auth
> #session optional pam_console.so
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022 password required pam_unix.so nullok obscure min=4 max=8
> session required pam_unix.so session optional pam_lastlog.so
> session optional pam_motd.so
> session optional pam_mail.so standard noenv
>
> I have tried many varations of this file from various postings but all
> to no avail
>
> the relevant part of smb.conf follow
>
> # Global parameters
> [global]
> workgroup = LEARNINGDOMAIN
> realm = LEARNINGDOMAIN.ORG
> server string = %L running Samba %v
> security = ADS
> obey pam restrictions = Yes
> password server = pdc.learningdomain.org
> passwd program = /usr/bin/passwd %u
> unix password sync = Yes
> log level = 3
> log file = /var/log/samba/log.%m
> preferred master = No
> local master = No
> domain master = No
> dns proxy = No
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind separator = +
> [shares]
> force create mode = 0660
> force directory mode = 0770
> [homes]
> path = /home/%D/%U
> browseable = no
> read only = no
> create mask = 0600
> directory mask = 0700
> writable = yes
>
>
>
> if I try su - DOMAIN+Username from a shell prompt
>
> I get the following reply
>
> [root at store01 pam.d]# su - LEARNINGDOMAIN+Administrator
> su: warning: cannot change directory to
> /home/LEARNINGDOMAIN/Administrator: No such file or directory
> -bash-2.05b$
>
pam_mkhomedir doesn't make deep directories ... does /home/LEARNINGDOMAIN
exist?
And, you don't mention which pam config file you are editing, but it is
most likely more useful to do this in system-auth, then if you set 'obey
pam restrictions = yes' in smb.conf, samba will even make the home
directories (or any app pam application with session support ...
Regards,
Buchan
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list