[Samba] Obey Pam Restrictions Problem 3.0.10

Guille guillemw at hotmail.com
Mon Jan 10 05:03:21 GMT 2005 

Hi,

I fixed the problem by rearranging some statements in the pam.d files

Hurray!

Later

-----Original Message-----
From: samba-bounces+guillemw=hotmail.com at lists.samba.org
[mailto:samba-bounces+guillemw=hotmail.com at lists.samba.org] On Behalf Of
Guille Williams
Sent: Friday, January 07, 2005 6:01 PM
To: samba at lists.samba.org
Subject: [Samba] Obey Pam Restrictions Problem 3.0.10

Hi,

I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10. 
So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just 
copy my settings over to the new build and everything would run smoothly. I 
thought wrong.

Everything seems fine until I enable Obey Pam Restrictions.
If enabled I get a login error from XP stating:  " Windows cannot locate 
your roaming profile (read only) and is attempting to log you on with your 
local profile. Possible causes of this error include network problems or 
insufficient security rights. If this problem persists, contact your network

administrator. DETAIL - Logon failure:  unknown user name or bad password. "

If Obey Pam Restrictions = no everything is fine except the home directory 
creation!

I Obey Pam Restrictions to create Home Directories on the fly when a new 
user logs into the network. I don't have the time to manually create the 
directories for all the new students that sign up in the lab. The Obey Pam 
Restrictions option was working great on Core 2. I have been using this 
feature ever since I migrated from Samba 2 to Samba 3 and would be sad if I 
can't fix the problem or find a work around. I hope this problem is not 
because of Core 3. I can't afford to switch now because school is in 
session. I also disabled SELiunx because I thought that was the root of all 
this evil, but that didn't work.

Here are the exact setting I used prior to 3.0.10/3.0.11pre1 that worked 
with 3.0.9

pam.d login

auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    sufficient    /lib/security/pam_winbind.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

pam.d/samba

auth       required	pam_nologin.so
auth       required	pam_stack.so service=system-auth
account    required	pam_stack.so service=system-auth
session    required	/lib/security/pam_mkhomedir.so skel=/etc/skel/ 
umask=0022
session    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth

pam.d/system-auth

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
use_first_pass
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

# Global parameters
[global]
	workgroup = SCHOOL
	server string = Samba Server
	security = DOMAIN
	password server = *
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	logon path =
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /home/%U
	winbind use default domain = Yes
	admin users = "@Domain Admins"
	cups options = raw

[homes]
	comment = Home Directories
	path = /home/%U
	read only = No
	create mask = 0760
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

/etc/nsswitch.conf
passwd:     files winbind
shadow:     files
group:       files winbind


Please Help,
Guille


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 1/6/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 1/6/2005

More information about the samba mailing list