[Samba] Obey Pam Restrictions Problem 3.0.10
Guille Williams
guillemw at hotmail.com
Sat Jan 8 02:00:59 GMT 2005
Hi,
I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10.
So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just
copy my settings over to the new build and everything would run smoothly. I
thought wrong.
Everything seems fine until I enable Obey Pam Restrictions.
If enabled I get a login error from XP stating: " Windows cannot locate
your roaming profile (read only) and is attempting to log you on with your
local profile. Possible causes of this error include network problems or
insufficient security rights. If this problem persists, contact your network
administrator. DETAIL - Logon failure: unknown user name or bad password. "
If Obey Pam Restrictions = no everything is fine except the home directory
creation!
I Obey Pam Restrictions to create Home Directories on the fly when a new
user logs into the network. I don't have the time to manually create the
directories for all the new students that sign up in the lab. The Obey Pam
Restrictions option was working great on Core 2. I have been using this
feature ever since I migrated from Samba 2 to Samba 3 and would be sad if I
can't fix the problem or find a work around. I hope this problem is not
because of Core 3. I can't afford to switch now because school is in
session. I also disabled SELiunx because I thought that was the root of all
this evil, but that didn't work.
Here are the exact setting I used prior to 3.0.10/3.0.11pre1 that worked
with 3.0.9
pam.d login
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
pam.d/samba
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
# Global parameters
[global]
workgroup = SCHOOL
server string = Samba Server
security = DOMAIN
password server = *
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon path =
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
winbind use default domain = Yes
admin users = "@Domain Admins"
cups options = raw
[homes]
comment = Home Directories
path = /home/%U
read only = No
create mask = 0760
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
Please Help,
Guille
More information about the samba
mailing list