[Samba] require_membership_of being ignored?

Mike Husmann husmann at morningside.edu
Thu Jan 3 17:38:16 GMT 2008 

Hi, I'm setting up a Gentoo samba server for home directories on a 2003 ADS
network.

I've decided to use pam_mkhomedir.to have the fileserver automagically create
their home when they first log in. But we don't want everyone to log in, just
the members of the AD group filesurfer-users.

The problem: Regardless of what I put as a require_membership_of= in the samba
pam file, any domain user can log in and a home directory is created.

I've attached a copy of /etc/pam.d/samba and /etc/samba/smb.conf.

Any help would be greatly appreciated.

/etc/pam.d/samba:
----------------------------------------------------------------------
#%PAM-1.0

# Require membership of filesurfer-users group
account required        pam_winbind.so require_membership_of=(SID)

session required        pam_winbind.so require_membership_of=(SID)
session optional        pam_mkhomedir.so skel=/etc/mside-skel umask=0077
------------------------------------------------------------------------

Smb.conf:
[global]
workgroup = DOMAIN
netbios aliases = FILESURFER
server string = FileSurfer
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
realm = DOMAIN.SCHOOL.EDU
encrypt passwords = yes
server signing = auto
smb passwd file = /etc/samba/smbpasswd
admin users = @"DOMAIN+Domain Admins"
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password*
%n\n*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
allow trusted domains = no
idmap backend = rid
idmap uid = 10000-1000000
idmap gid = 10000-1000000
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
local master = no
inherit permissions = yes
dos filemode = yes
       recycle:exclude = *.tmp *.temp *.o *.obj ~$*
       recycle:keeptree = True
       recycle:touch = True
       recycle:versions = True
       recycle:noversions = .doc|.xls|.ppt
       recycle:repository = /home/trash/%U
       recycle:maxsize = 10000000
vfs objects = recycle

[homes]
   comment = Home Directories
   create mask = 0700
   browseable = no
   writable = yes
   valid users = %U
   nt acl support = yes
------------------------------------------------------------

Thanks in advance,

Mike

More information about the samba mailing list