[Samba] root login using /etc/shadow bypassing winbind / ADS security

Bruce Speidel Bruce.Speidel at qwest.com
Fri Sep 23 02:36:51 GMT 2005

I'm wondering if anyone has tried use local Solaris NSS files for
root-only login VIA the console or ssh - effectively bypassing
domain security to the PDC using ADS - Windows 2003 AD?

I am not having a problem logging as the non-admin user.
I wish to login to the root account that would not be part
of the ADS domain security eventually over an ssh connection
or directly to /dev/console via a serial link.  SSH - next step
after this issue is solved!

My /opt/samba/smb.conf on Solaris 9 file looks like:

        workgroup = ADTEST
        realm = ADTEST.AD.LAB
        server string = %h server (Samba %v)
        security = ADS
        update encrypted = Yes
        username map = /etc/samba/smbusers
        log level = 10
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind cache time = 10
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes

        valid users = %S
        read only = No
        browseable = No


passwd:     files winbind
group:      files winbind
hosts:      files dns winbind
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files


#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login   auth required           /usr/lib/security/pam_winbind.so
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1 try_first_pass
login   auth required           pam_dial_auth.so.1 try_first_pass
# rlogin service (explicit because of pam_rhost_auth)
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh     auth sufficient         pam_rhosts_auth.so.1
other   auth sufficient         /usr/lib/security/pam_winbind.so
rsh     auth required           pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

other   auth sufficient         /usr/lib/security/pam_winbind.so
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1 try_first_pass
# passwd command (explicit because of a different authentication module)

passwd  auth required           pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
other   session required        pam_unix_session.so.1
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Thanks in advance!

More information about the samba mailing list