[Samba] Trouble with restricting access and ads

D G Teed donald.teed at gmail.com
Wed Jan 30 13:39:12 GMT 2008


Thanks for this tip.  I did get valid users = DOMAIN\user
working today.  I have also verified someone authenticated
in AD, but not in the parameter "valid users =" can not get in.
Great - this is what I expect...

I've now learned that testing I can access it is only half the test.
I should also test that I can't access it if the user is not listed.
I wonder how many sites are out there with only "users = "
and no valid keyword in front of it, running with a share
open to anyone on ADS, as we were initially?  I read this
help tip in many forums - and it seems correct because
when they half test it, they can get in.

I consider it a serious bug that with nothing for a write list,
read list, nor valid user parameter, samba defaults to write
access merely by having AD authentication succeed.
This is with 3.0.25 in Redhat Enterprise 5.

Or would you say this is linked to a pam misconfiguration?

We've got guest ok = no and public = no everywhere in smb.conf

I have this in my pam.d/samba :

auth       required     pam_nologin.so
auth sufficient pam_winbind.so use_first_pass
auth required   pam_deny.so
account     [default=bad success=ok user_unknown=ignore]  pam_winbind.so
account     required      pam_permit.so
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     required      pam_limits.so


More information about the samba mailing list