[Samba] Samba selectively obeying pam restrictions

Charles J Gruener cjg9411 at rit.edu
Tue Nov 21 00:03:32 GMT 2006

Having a difficult problem getting my pam_access.so module enforced on a 3.0.22 version of Samba.
Here is my /etc/pam.d/samba file:
auth       required     pam_winbind.so debug
account    required     pam_access.so
account    sufficient   pam_winbind.so debug
account    include      system-auth
session    include      system-auth
session    required     pam_winbind.so debug
My /etc/pam.d/system-auth file:
auth       required     pam_nologin.so
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so
account    required     pam_unix.so
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so
session    required     pam_limits.so
session    required     pam_quota_xfs.so bsoftlimit=719688 bhardlimit=719688
session    required     pam_mkhomedir.so skel=/etc/skel.net umask=077
session    required     pam_unix.so

And my associated /etc/security/access.conf file:
-:ALL EXCEPT root user1:ALL
Lastly, my /etc/samba/smb.conf file:
workgroup = DOMAIN
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000-1000000
idmap uid = 1000-1000000
idmap gid = 1000-1000000
template homedir = /home/%U
template shell = /bin/false
winbind cache time = 3600
winbind enum groups = No
winbind enum users = No
winbind use default domain = Yes
obey pam restrictions = Yes
syslog only = yes
syslog = 0
use sendfile = yes
store dos attributes = Yes
disable spoolss = Yes
browseable = No
read only = No
valid users = DOMAIN\%S
create mask = 0700
directory mask = 0700
directory security mask = 0700

Basically, when I connect from a Macintosh, through the web using a Davenport client, or locally using the smbclient command as user2 (not listed in /etc/security/access.conf but does exist in domain) I get access denied.  Perfect.  Exactly what I want to have happen. 
# smbclient -L server -U user2
session setup failed: NT_STATUS_ACCESS_DENIED
Syslog shows this:
server pam_access[19333]: access denied for user `DOMAIN\user2' from `'
server pam_winbind[19333]: user 'DOMAIN\user2' granted access
Not sure why pam_winbind gets called, but I haven't figured that one out yet.  Now, when I connect from a Windows machine in the domain, user2 is allowed in.  Not to mention, the computer connects and has a home directory created as well because of the pam_mkhomedir.so above.
server samba(pam_quota)[19348]: Successfully setup quotas for UID 387093
server samba(pam_unix)[19348]: session opened for user MAIN\computer$ by (uid=0)
server pam_winbind[19348]: libpam_winbind:pam_sm_open_session handler
server samba(pam_unix)[19350]: session opened for user MAIN\user2 by (uid=0)
server pam_winbind[19350]: libpam_winbind:pam_sm_open_session handler
server samba(pam_unix)[19348]: session closed for user MAIN\computer$
server pam_winbind[19348]: libpam_winbind:pam_sm_close_session handler
server samba(pam_unix)[19350]: session closed for user MAIN\user2
server pam_winbind[19350]: libpam_winbind:pam_sm_close_session handler
So what gives?  Why is it correctly parsing the "obey pam restrictions = Yes" for some connections and not for others?  I don't see one try at pam_access in the Windows case.  It goes immediately to pam_unix for some reason.  Any thoughts?
Incidentally, I tried putting a pam_access.so before the pam_unix.so line in my /etc/pam.d/system-auth and the results are the same.  No mention of pam_access in the Windows connection case.

More information about the samba mailing list