[Samba] PAM vs smbpasswd oddity

[Russell Handorf]

I'm guessing that PAM authentication with RADIUS wont work with SAMBA at 
all now in my instance, especially if the passwords being returned to 
SAMBA from the RADIUS server are clear text (which they are).

Can someone confirm this for me?

Thanks,
r

Russell Handorf wrote:
> I've tried setting the security level to being from "user" to "share". 
> It now logs me in as "guest" from all workstations for some reason. 
> Here is the smb.conf file once again for all to review:
>
> [global]
>        workgroup = >snip<
>        server string = samba file
>        netbios name = Fileserver
>        log file = /var/log/samba/%m.log
>        max log size = 50
>        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
> SO_SNDBUF=8192
>        preferred master = True
>        local master = Yes
>        domain master = True
>        dns proxy = yes
>        remote announce = 192.168.0.255
>        os level = 40
>        ;domain logons = yes
>        ;logon script = logon.bat
>        ;logon home = \\%G\%U\.profile
>        name resolve order = wins lmhosts bcast
>        wins proxy = yes
>        ;preserve case = yes
>        ;short preserve case = yes
>        wins support= yes
>        #was user / share
>        security = user
>        #must be set to 'no' to use PAM
>        encrypt passwords = No
>        update encrypted = No
>        allow trusted domains = Yes
>        #min password length = 6
>        null passwords = No
> [homes]
>        comments = Home Dir
>        browsable = no
>        writable = yes
>        hide dot files = yes
> [netlogon]
>        comment = Network Logon Service
>        path = /home/netlogon
>        guest ok = yes
>        writable = no
>        share modes = no
>        write list = domain_admin
> [Profiles]
>        path = /%G/%U/.profile
>        browseable = no
>        guest ok = yes
> [public]
>        path = /samba/public
>        valid users = users
>        force group = users
>        writeable = Yes
>        guest ok = No
>
>
> Russell Handorf wrote:
>> Hi Folks,
>>
>> so now I've managed to trick the authentication server to caching the 
>> one time passwords for me. I'm down to the last two problems:
>>
>> 1. Something odd that I've noticed is that when I use PAM 
>> authentication Windows clients are outright refused. When I enable 
>> "encrypted" passwords, therefor disabling PAM, I'm then able to log 
>> in but with the use of static passwords. The error that the Windows 
>> clients get is the following:
>>
>> "\\<IP-ADDRESS> is not accessible. You might not have permission to 
>> use this network resource. Contact the administrator of this server 
>> to find out if you have access permissions.
>> The account is not authorized to log in from this station."
>>
>> So the question here is that why doesnt this work when I use PAM 
>> authentication, but it does work when I use smbpasswd?!?
>>
>> 2. I've since tried mounting the share on a linux box to see what was 
>> happening. I notice the following behavior with this command:
>> mount -t smbfs -o username=rhandorf //localhost/rhandorf /mnt/home/
>>
>> Once I log in, I'm able to browse the directory without *any* 
>> problems. So if I can solve #1, I'll be a happy camper! Does anyone 
>> have any ideas?
>>
>> Thanks again,
>>
>> r