[Samba] Obey Pam Restrictions Problem 3.0.10

Guille Williams guillemw at hotmail.com
Sat Jan 8 02:00:59 GMT 2005


I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10. 
So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just 
copy my settings over to the new build and everything would run smoothly. I 
thought wrong.

Everything seems fine until I enable Obey Pam Restrictions.
If enabled I get a login error from XP stating:  " Windows cannot locate 
your roaming profile (read only) and is attempting to log you on with your 
local profile. Possible causes of this error include network problems or 
insufficient security rights. If this problem persists, contact your network 
administrator. DETAIL - Logon failure:  unknown user name or bad password. " 
If Obey Pam Restrictions = no everything is fine except the home directory 

I Obey Pam Restrictions to create Home Directories on the fly when a new 
user logs into the network. I don't have the time to manually create the 
directories for all the new students that sign up in the lab. The Obey Pam 
Restrictions option was working great on Core 2. I have been using this 
feature ever since I migrated from Samba 2 to Samba 3 and would be sad if I 
can't fix the problem or find a work around. I hope this problem is not 
because of Core 3. I can't afford to switch now because school is in 
session. I also disabled SELiunx because I thought that was the root of all 
this evil, but that didn't work.

Here are the exact setting I used prior to 3.0.10/3.0.11pre1 that worked 
with 3.0.9

pam.d login

auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    sufficient    /lib/security/pam_winbind.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so


auth       required	pam_nologin.so
auth       required	pam_stack.so service=system-auth
account    required	pam_stack.so service=system-auth
session    required	/lib/security/pam_mkhomedir.so skel=/etc/skel/ 
session    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth


auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

# Global parameters
	workgroup = SCHOOL
	server string = Samba Server
	security = DOMAIN
	password server = *
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	logon path =
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /home/%U
	winbind use default domain = Yes
	admin users = "@Domain Admins"
	cups options = raw

	comment = Home Directories
	path = /home/%U
	read only = No
	create mask = 0760
	browseable = No

	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

passwd:     files winbind
shadow:     files
group:       files winbind

Please Help,

More information about the samba mailing list