[Samba] PAM vs smbpasswd oddity *solved*

Russell Handorf rhandorf at handorf.org
Thu Sep 28 14:54:55 GMT 2006


So yeah, after a little bit more searching I found the solution 
mentioned here

http://lists.samba.org/archive/samba/2003-May/066660.html

If there only were a way to have both clear and encrypted enabled at the 
same time! Then, and only then would life be peachy.

r

Russell Handorf wrote:
> I'm guessing that PAM authentication with RADIUS wont work with SAMBA 
> at all now in my instance, especially if the passwords being returned 
> to SAMBA from the RADIUS server are clear text (which they are).
>
> Can someone confirm this for me?
>
> Thanks,
> r
>
> Russell Handorf wrote:
>> I've tried setting the security level to being from "user" to 
>> "share". It now logs me in as "guest" from all workstations for some 
>> reason. Here is the smb.conf file once again for all to review:
>>
>> [global]
>>        workgroup = >snip<
>>        server string = samba file
>>        netbios name = Fileserver
>>        log file = /var/log/samba/%m.log
>>        max log size = 50
>>        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
>> SO_SNDBUF=8192
>>        preferred master = True
>>        local master = Yes
>>        domain master = True
>>        dns proxy = yes
>>        remote announce = 192.168.0.255
>>        os level = 40
>>        ;domain logons = yes
>>        ;logon script = logon.bat
>>        ;logon home = \\%G\%U\.profile
>>        name resolve order = wins lmhosts bcast
>>        wins proxy = yes
>>        ;preserve case = yes
>>        ;short preserve case = yes
>>        wins support= yes
>>        #was user / share
>>        security = user
>>        #must be set to 'no' to use PAM
>>        encrypt passwords = No
>>        update encrypted = No
>>        allow trusted domains = Yes
>>        #min password length = 6
>>        null passwords = No
>> [homes]
>>        comments = Home Dir
>>        browsable = no
>>        writable = yes
>>        hide dot files = yes
>> [netlogon]
>>        comment = Network Logon Service
>>        path = /home/netlogon
>>        guest ok = yes
>>        writable = no
>>        share modes = no
>>        write list = domain_admin
>> [Profiles]
>>        path = /%G/%U/.profile
>>        browseable = no
>>        guest ok = yes
>> [public]
>>        path = /samba/public
>>        valid users = users
>>        force group = users
>>        writeable = Yes
>>        guest ok = No
>>
>>
>> Russell Handorf wrote:
>>> Hi Folks,
>>>
>>> so now I've managed to trick the authentication server to caching 
>>> the one time passwords for me. I'm down to the last two problems:
>>>
>>> 1. Something odd that I've noticed is that when I use PAM 
>>> authentication Windows clients are outright refused. When I enable 
>>> "encrypted" passwords, therefor disabling PAM, I'm then able to log 
>>> in but with the use of static passwords. The error that the Windows 
>>> clients get is the following:
>>>
>>> "\\<IP-ADDRESS> is not accessible. You might not have permission to 
>>> use this network resource. Contact the administrator of this server 
>>> to find out if you have access permissions.
>>> The account is not authorized to log in from this station."
>>>
>>> So the question here is that why doesnt this work when I use PAM 
>>> authentication, but it does work when I use smbpasswd?!?
>>>
>>> 2. I've since tried mounting the share on a linux box to see what 
>>> was happening. I notice the following behavior with this command:
>>> mount -t smbfs -o username=rhandorf //localhost/rhandorf /mnt/home/
>>>
>>> Once I log in, I'm able to browse the directory without *any* 
>>> problems. So if I can solve #1, I'll be a happy camper! Does anyone 
>>> have any ideas?
>>>
>>> Thanks again,
>>>
>>> r


More information about the samba mailing list