[Samba] root login using /etc/shadow bypassing winbind / ADS security

Bruce Speidel Bruce.Speidel at qwest.com
Fri Sep 23 02:36:51 GMT 2005 

I'm wondering if anyone has tried use local Solaris NSS files for
root-only login VIA the console or ssh - effectively bypassing
domain security to the PDC using ADS - Windows 2003 AD?

I am not having a problem logging as the non-admin user.
I wish to login to the root account that would not be part
of the ADS domain security eventually over an ssh connection
or directly to /dev/console via a serial link.  SSH - next step
after this issue is solved!

My /opt/samba/smb.conf on Solaris 9 file looks like:

[global]
        workgroup = ADTEST
        realm = ADTEST.AD.LAB
        server string = %h server (Samba %v)
        security = ADS
        update encrypted = Yes
        username map = /etc/samba/smbusers
        log level = 10
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind cache time = 10
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes

[homes]
        valid users = %S
        read only = No
        browseable = No

/etc/nsswitch.conf:

passwd:     files winbind
group:      files winbind
hosts:      files dns winbind
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system
will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

/etc/pam.conf:

#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           /usr/lib/security/pam_winbind.so
try_first_pass
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1 try_first_pass
login   auth required           pam_dial_auth.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
other   auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass
rsh     auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Thanks in advance!
Bruce

More information about the samba mailing list