[Samba] Trouble with restricting access and ads
D G Teed
donald.teed at gmail.com
Wed Jan 30 13:39:12 GMT 2008
Hi,
Thanks for this tip. I did get valid users = DOMAIN\user
working today. I have also verified someone authenticated
in AD, but not in the parameter "valid users =" can not get in.
Great - this is what I expect...
I've now learned that testing I can access it is only half the test.
I should also test that I can't access it if the user is not listed.
I wonder how many sites are out there with only "users = "
and no valid keyword in front of it, running with a share
open to anyone on ADS, as we were initially? I read this
help tip in many forums - and it seems correct because
when they half test it, they can get in.
I consider it a serious bug that with nothing for a write list,
read list, nor valid user parameter, samba defaults to write
access merely by having AD authentication succeed.
This is with 3.0.25 in Redhat Enterprise 5.
Or would you say this is linked to a pam misconfiguration?
We've got guest ok = no and public = no everywhere in smb.conf
I have this in my pam.d/samba :
auth required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session required pam_limits.so
--Donald
More information about the samba
mailing list