[Samba] PAM vs smbpasswd oddity *solved*
Russell Handorf
rhandorf at handorf.org
Thu Sep 28 14:54:55 GMT 2006
So yeah, after a little bit more searching I found the solution
mentioned here
http://lists.samba.org/archive/samba/2003-May/066660.html
If there only were a way to have both clear and encrypted enabled at the
same time! Then, and only then would life be peachy.
r
Russell Handorf wrote:
> I'm guessing that PAM authentication with RADIUS wont work with SAMBA
> at all now in my instance, especially if the passwords being returned
> to SAMBA from the RADIUS server are clear text (which they are).
>
> Can someone confirm this for me?
>
> Thanks,
> r
>
> Russell Handorf wrote:
>> I've tried setting the security level to being from "user" to
>> "share". It now logs me in as "guest" from all workstations for some
>> reason. Here is the smb.conf file once again for all to review:
>>
>> [global]
>> workgroup = >snip<
>> server string = samba file
>> netbios name = Fileserver
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>> preferred master = True
>> local master = Yes
>> domain master = True
>> dns proxy = yes
>> remote announce = 192.168.0.255
>> os level = 40
>> ;domain logons = yes
>> ;logon script = logon.bat
>> ;logon home = \\%G\%U\.profile
>> name resolve order = wins lmhosts bcast
>> wins proxy = yes
>> ;preserve case = yes
>> ;short preserve case = yes
>> wins support= yes
>> #was user / share
>> security = user
>> #must be set to 'no' to use PAM
>> encrypt passwords = No
>> update encrypted = No
>> allow trusted domains = Yes
>> #min password length = 6
>> null passwords = No
>> [homes]
>> comments = Home Dir
>> browsable = no
>> writable = yes
>> hide dot files = yes
>> [netlogon]
>> comment = Network Logon Service
>> path = /home/netlogon
>> guest ok = yes
>> writable = no
>> share modes = no
>> write list = domain_admin
>> [Profiles]
>> path = /%G/%U/.profile
>> browseable = no
>> guest ok = yes
>> [public]
>> path = /samba/public
>> valid users = users
>> force group = users
>> writeable = Yes
>> guest ok = No
>>
>>
>> Russell Handorf wrote:
>>> Hi Folks,
>>>
>>> so now I've managed to trick the authentication server to caching
>>> the one time passwords for me. I'm down to the last two problems:
>>>
>>> 1. Something odd that I've noticed is that when I use PAM
>>> authentication Windows clients are outright refused. When I enable
>>> "encrypted" passwords, therefor disabling PAM, I'm then able to log
>>> in but with the use of static passwords. The error that the Windows
>>> clients get is the following:
>>>
>>> "\\<IP-ADDRESS> is not accessible. You might not have permission to
>>> use this network resource. Contact the administrator of this server
>>> to find out if you have access permissions.
>>> The account is not authorized to log in from this station."
>>>
>>> So the question here is that why doesnt this work when I use PAM
>>> authentication, but it does work when I use smbpasswd?!?
>>>
>>> 2. I've since tried mounting the share on a linux box to see what
>>> was happening. I notice the following behavior with this command:
>>> mount -t smbfs -o username=rhandorf //localhost/rhandorf /mnt/home/
>>>
>>> Once I log in, I'm able to browse the directory without *any*
>>> problems. So if I can solve #1, I'll be a happy camper! Does anyone
>>> have any ideas?
>>>
>>> Thanks again,
>>>
>>> r
More information about the samba
mailing list