[Samba] Two tricky problems with Samba and pam_mkhomedir.so
roger.aas at hsh.no
Wed Jun 23 08:18:14 GMT 2004
I have a mail services setup that have given me two problems
I am not able to solve myself, and can find no solutions to
on the internet (google, mailing-list archives et.al.)...
1 - Users logging in with a mix of upper and lowercase letters
creates different home directories for each new variation they
manages to come up with.
2 - The home directories are to be created by pam_mkhomedir.so,
but I have to set the base directory to chmod 777 for that module
to be able to create the users directory.
We moved our email service for the students over to a Red Hat
Enterprise Linux 3 AS Update 2 server configured this way:
Samba (samba-3.0.2-6.3E) in ADS mode for authentication with AD.
IMAP (imap-2002d-8) with PAM (pam-0.75-54) setup for winbind and mkhomedir.
Squirrelmail (squirrelmail-1.4.3-0.e3.1) for webmail. (Apache and PHP req.)
Sendmail (sendmail-8.12.11-3.3) for incoming and outgoing email.
Users will only connect to this server via Squirrelmail (i.e.
IMAP) or directly to IMAP. No other services will be available.
This setup "works" and is actually in production, but I have
these two problems that would be nice to sort out.
Problem one: Samba (through IMAP->PAM->WINBIND->AD) authenticates
the user roger, Roger, ROGER, RoGeR as the same user. But when
PAM runs mkhomedir with the username it makes a new directory for
all of these variations of the username. In Linux (Unix) the case
does matter for directories.
I could probably go into the PHP scripts of Squirrelmail to make a
$username = tolower($username) or something like that, but that will
not help for users that sets up their own imap client. I could probably
instead look at the source for mkhomedir or imap and try to find out
what to change there.
Is there someone that have solved a problem like this before? What
did they do? Someone at the Samba team have some ideas? Is there a
way to deny authentication in winbind when someone uses uppercase
letters (force them to use lowercase)?
Problem two: I can not make mkhomedir create users home directories
without making the base directory world-writeable (mkdir /home/DOMAIN;
chmod 777 /home/DOMAIN). Any resolutions to this? Since the users
are not given login access this is no big problem, but it would be nice
if it was fixed. (This question belongs in some PAM mail-list I guess,
but I am sure someone here knows how to fix this...) :-)
# rm -f /etc/krb5.conf (Kerberos uses information from DNS)
# vi /etc/samba/smb.conf
netbios name = SERVER
workgroup = DOMAIN
realm = DOMAIN.COLLEGE.EDU
ldap ssl = no
idmap uid = 10000-50000
idmap gid = 10000-50000
template homedir = /home/%D/%U
template shell = /sbin/nologin
winbind separator = +
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
obey pam restrictions = Yes
server string = Student Mailserver
hosts allow = 10. 127.
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = 10.0.0.1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 10.0.0.1
dns proxy = no
local master = no
preferred master = no
os level = 0
# vi /etc/pam.d/imap
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
session required pam_mkhomedir.so
# vi /etc/nsswitch.conf (Only relevant lines)
passwd: files winbind
shadow: files winbind
group: files winbind
# net ads join -U Administrator
# mkdir /home/DOMAIN; chmod 777 /home/DOMAIN
More information about the samba