[Samba] Samba selectively obeying pam restrictions
Charles J Gruener
cjg9411 at rit.edu
Tue Nov 21 00:03:32 GMT 2006
Having a difficult problem getting my pam_access.so module enforced on a 3.0.22 version of Samba.
Here is my /etc/pam.d/samba file:
auth required pam_winbind.so debug
account required pam_access.so
account sufficient pam_winbind.so debug
account include system-auth
session include system-auth
session required pam_winbind.so debug
My /etc/pam.d/system-auth file:
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_quota_xfs.so bsoftlimit=719688 bhardlimit=719688
session required pam_mkhomedir.so skel=/etc/skel.net umask=077
session required pam_unix.so
And my associated /etc/security/access.conf file:
-:ALL EXCEPT root user1:ALL
Lastly, my /etc/samba/smb.conf file:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000-1000000
idmap uid = 1000-1000000
idmap gid = 1000-1000000
template homedir = /home/%U
template shell = /bin/false
winbind cache time = 3600
winbind enum groups = No
winbind enum users = No
winbind use default domain = Yes
obey pam restrictions = Yes
syslog only = yes
syslog = 0
use sendfile = yes
store dos attributes = Yes
disable spoolss = Yes
[homes]
browseable = No
read only = No
valid users = DOMAIN\%S
create mask = 0700
directory mask = 0700
directory security mask = 0700
Basically, when I connect from a Macintosh, through the web using a Davenport client, or locally using the smbclient command as user2 (not listed in /etc/security/access.conf but does exist in domain) I get access denied. Perfect. Exactly what I want to have happen.
# smbclient -L server -U user2
Password:
session setup failed: NT_STATUS_ACCESS_DENIED
#
Syslog shows this:
server pam_access[19333]: access denied for user `DOMAIN\user2' from `10.0.0.10'
server pam_winbind[19333]: user 'DOMAIN\user2' granted access
Not sure why pam_winbind gets called, but I haven't figured that one out yet. Now, when I connect from a Windows machine in the domain, user2 is allowed in. Not to mention, the computer connects and has a home directory created as well because of the pam_mkhomedir.so above.
server samba(pam_quota)[19348]: Successfully setup quotas for UID 387093
server samba(pam_unix)[19348]: session opened for user MAIN\computer$ by (uid=0)
server pam_winbind[19348]: libpam_winbind:pam_sm_open_session handler
server samba(pam_unix)[19350]: session opened for user MAIN\user2 by (uid=0)
server pam_winbind[19350]: libpam_winbind:pam_sm_open_session handler
server samba(pam_unix)[19348]: session closed for user MAIN\computer$
server pam_winbind[19348]: libpam_winbind:pam_sm_close_session handler
server samba(pam_unix)[19350]: session closed for user MAIN\user2
server pam_winbind[19350]: libpam_winbind:pam_sm_close_session handler
So what gives? Why is it correctly parsing the "obey pam restrictions = Yes" for some connections and not for others? I don't see one try at pam_access in the Windows case. It goes immediately to pam_unix for some reason. Any thoughts?
Incidentally, I tried putting a pam_access.so before the pam_unix.so line in my /etc/pam.d/system-auth and the results are the same. No mention of pam_access in the Windows connection case.
Charles
More information about the samba
mailing list