[Samba] authenticate using pam_ldap.so
Dennis Ortsen
dortsen at gmail.com
Tue Nov 6 10:33:18 GMT 2007
Hi All,
I've been trying for quite some time now, but feel that there's just
that one situation that doesn't work, and that's probably the one
thing I'd like to use.
I've got a simple samba server (3.0.23c) on RHEL5 that only has one
large share. That share is to be used by a certain number of users,
that can exchange large amounts of data using that share, but not
everybody is allowed access to that share. The most simple way to set
that up is to use the /etc/samba/smbpasswd and add the users locally.
That would be fine, but the number of users is just large enought to
cause a probable overhead of work when they need to change their
password. I have a LDAP server running, without the Samba schema. I
don't want to add the samba schema to that directory, just for about
30 users. (total userbase is 40.000). The next best thing would be to
use PAM together with pam_ldap.so.
pam_ldap.so works fine, cause we use that only to authenticate unix
users for ssh or tty access. (User accounts exist in /etc/passwd, only
the password is not used in /etc/shadow) When a user logs in via ssh
his password is checked in LDAP using pam_ldap.so. That all works like
a charm. I thought I could use the same trick for authenticating the
samba users, but that seems to be a lot more difficult than I
thought...
conf files always help a lot:
my smb.conf:
[global]
workgroup = OFFICE
netbios name = MIDDLEEARTH
server string = Middleearth Samba Server
security = share
obey pam restrictions = yes
encrypt passwords = no
[share]
path = /share
valid users = jan,jeff,joe,john,alice
read only = No
force user = nobody
force create mode = 0660
browseable = No
guest ok = No
my /etc/pam.d/samba:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
and my /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
All I want is to have a local user that exists either in /etc/passwd
or in /etc/samba/smbpasswd, but that the password that is checked is
retrieved from my LDAP server, in (just about) the same way for my
sshd service with pam_ldap.so.
I haven't found a success story on any list/website...
Does someone have a suggestion what I can try next?
Thanks in advance,
Br.
Dennis
More information about the samba
mailing list