[Samba] Two tricky problems with Samba and pam_mkhomedir.so

Roger Aas roger.aas at hsh.no
Wed Jun 23 08:18:14 GMT 2004 

I have a mail services setup that have given me two problems
I am not able to solve myself, and can find no solutions to
on the internet (google, mailing-list archives et.al.)...

1 - Users logging in with a mix of upper and lowercase letters
creates different home directories for each new variation they
manages to come up with.

2 - The home directories are to be created by pam_mkhomedir.so,
but I have to set the base directory to chmod 777 for that module
to be able to create the users directory.

The setup:

We moved our email service for the students over to a Red Hat
Enterprise Linux 3 AS Update 2 server configured this way:

Samba (samba-3.0.2-6.3E) in ADS mode for authentication with AD.
IMAP (imap-2002d-8) with PAM (pam-0.75-54) setup for winbind and mkhomedir.
Squirrelmail (squirrelmail-1.4.3-0.e3.1) for webmail. (Apache and PHP req.)
Sendmail (sendmail-8.12.11-3.3) for incoming and outgoing email.

Users will only connect to this server via Squirrelmail (i.e.
IMAP) or directly to IMAP. No other services will be available.

This setup "works" and is actually in production, but I have
these two problems that would be nice to sort out.

Problem one: Samba (through IMAP->PAM->WINBIND->AD) authenticates
the user roger, Roger, ROGER, RoGeR as the same user. But when
PAM runs mkhomedir with the username it makes a new directory for
all of these variations of the username. In Linux (Unix) the case
does matter for directories.

I could probably go into the PHP scripts of Squirrelmail to make a
$username = tolower($username) or something like that, but that will
not help for users that sets up their own imap client. I could probably
instead look at the source for mkhomedir or imap and try to find out
what to change there.

Is there someone that have solved a problem like this before? What
did they do? Someone at the Samba team have some ideas? Is there a
way to deny authentication in winbind when someone uses uppercase
letters (force them to use lowercase)?

Problem two: I can not make mkhomedir create users home directories
without making the base directory world-writeable (mkdir /home/DOMAIN;
chmod 777 /home/DOMAIN). Any resolutions to this? Since the users
are not given login access this is no big problem, but it would be nice
if it was fixed. (This question belongs in some PAM mail-list I guess,
but I am sure someone here knows how to fix this...)  :-)

Thanks,
Roger


Detailed setup:

# rm -f /etc/krb5.conf   (Kerberos uses information from DNS)

# vi /etc/samba/smb.conf
[global]
    netbios name = SERVER
    workgroup = DOMAIN
    realm = DOMAIN.COLLEGE.EDU
    ldap ssl = no
    idmap uid = 10000-50000
    idmap gid = 10000-50000
    template homedir = /home/%D/%U
    template shell = /sbin/nologin
    winbind separator = +
    winbind use default domain = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    obey pam restrictions = Yes
    server string = Student Mailserver
    hosts allow = 10. 127.
    log file = /var/log/samba/%m.log
    max log size = 50
    security = ADS
    password server = 10.0.0.1
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    wins server = 10.0.0.1
    dns proxy = no
    local master = no
    preferred master = no
    os level = 0

# vi /etc/pam.d/imap
#%PAM-1.0
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so

# vi /etc/nsswitch.conf (Only relevant lines)
passwd:     files winbind
shadow:     files winbind
group:      files winbind

# net ads join -U Administrator
# mkdir /home/DOMAIN; chmod 777 /home/DOMAIN

More information about the samba mailing list