[Samba] Authentication problem with samba 3.3.4 on AIX 5.3
William Jojo
w.jojo at hvcc.edu
Tue Jun 9 20:11:18 GMT 2009
David Markey wrote:
> AIX doesnt have a pam.conf. it uses LAM.
>
> change
> obey pam restrictions = yes
> to
> obey pam restrictions = no
>
>
>
No, it does have a pam.conf from bos.rte.security:
[dev53:/] # lslpp -w /etc/pam.conf
File Fileset Type
----------------------------------------------------------------------------
/etc/pam.conf bos.rte.security File
[dev53:/] # cat /etc/pam.conf
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos530 src/bos/etc/pam/pam.conf 1.3
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 2003,2004
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
# PAM Configuration File
#
# This file controls the PAM stacks for PAM enabled services.
# The format of each entry is as follows:
#
# <service_name> <module_type> <control_flag> <module_path> [module_options]
#
# Where:
# <service_name> is:
# The name of the PAM enabled service.
#
# <module_type> is one of:
# auth, account, password, session
#
# <control_flag> is one of:
# required, requisite, sufficient, optional
#
# <module_path> is:
# The path to the module. If the field does not begin with
'/'
# then /usr/lib/security/ is prefixed.
#
# [module_options] is:
# An optional field. Consult the specified modules
documentation
# for valid options.
#
# The service name OTHER controls the behavior of services that are PAM
# enabled but do not have an explicit entry in this file.
#
#
# Authentication
#
ftp auth required /usr/lib/security/pam_aix
imap auth required /usr/lib/security/pam_aix
login auth required /usr/lib/security/pam_aix
rexec auth required /usr/lib/security/pam_aix
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
rlogin auth required /usr/lib/security/pam_aix
rsh auth required /usr/lib/security/pam_rhosts_auth
snapp auth required /usr/lib/security/pam_aix
su auth sufficient /usr/lib/security/pam_allowroot
su auth required /usr/lib/security/pam_aix
telnet auth required /usr/lib/security/pam_aix
#OTHER auth sufficient /usr/lib/security/pam_allowroot
samba auth required pam_aix
OTHER auth required /usr/lib/security/pam_prohibit
#
# Account Management
#
ftp account required /usr/lib/security/pam_aix
login account required /usr/lib/security/pam_aix
rexec account required /usr/lib/security/pam_aix
rlogin account required /usr/lib/security/pam_aix
rsh account required /usr/lib/security/pam_aix
su account sufficient /usr/lib/security/pam_allowroot
su account required /usr/lib/security/pam_aix
telnet account required /usr/lib/security/pam_aix
#OTHER account required /usr/lib/security/pam_allowroot
samba account required pam_aix
OTHER account required /usr/lib/security/pam_prohibit
#
# Password Management
#
login password required /usr/lib/security/pam_aix
passwd password required /usr/lib/security/pam_aix
rlogin password required /usr/lib/security/pam_aix
su password required /usr/lib/security/pam_aix
telnet password required /usr/lib/security/pam_aix
#OTHER password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_prohibit
#
# Session Management
#
ftp session required /usr/lib/security/pam_aix
imap session required /usr/lib/security/pam_aix
login session required /usr/lib/security/pam_aix
rexec session required /usr/lib/security/pam_aix
rlogin session required /usr/lib/security/pam_aix
rsh session required /usr/lib/security/pam_aix
snapp session required /usr/lib/security/pam_aix
su session required /usr/lib/security/pam_aix
telnet session required /usr/lib/security/pam_aix
#OTHER session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_prohibit
# websm.
websm_rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
websm_rlogin auth required /usr/lib/security/pam_aix
use_new_state
websm_su auth sufficient /usr/lib/security/pam_aix
websm_su auth required /usr/lib/security/pam_aix
websm_rlogin account required /usr/lib/security/pam_aix
mode=S_RLOGIN
websm_su account sufficient /usr/lib/security/pam_aix mode=S_SU
websm_su account required /usr/lib/security/pam_aix mode=S_SU
websm_rlogin password required /usr/lib/security/pam_aix
use_new_state try_first_pass
websm_su password required /usr/lib/security/pam_aix
try_first_pass
websm_rlogin session required /usr/lib/security/pam_aix
websm_su session required /usr/lib/security/pam_aix
Cheers,
Bill
>
> William Jojo wrote:
>
>> Arendt, Volker wrote:
>>
>>> Hello all,
>>>
>>> we currently do have a problem with samba 3.3.4 on AIX 5.3.
>>> We have set up the samba system to integrate in our AD Domain.
>>> Integration was successfull (net ads join), wbinfo executes with
>>> parameters
>>> -ugt without any problems. Our smb.conf content follows at the end of
>>> this mail.
>>>
>>> We have defined just one share as follows:
>>> [smbtest]
>>> writeable = yes
>>> path = /gpfs/fbb/ls/cip
>>> valid users =
>>> When we connect from a Windows XP System we get the following error
>>> message:
>>> ---
>>> C:\Programme\Support Tools>net use p: \\frigg\smbtest
>>> Systemfehler 2239 aufgetreten.
>>>
>>> Dieses Benutzerkonto ist abgelaufen.
>>> ---
>>> translated: user account has expired
>>>
>>> In the system log file we get:
>>> ---------------------------------------------------------------------------
>>>
>>> ------
>>> [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402)
>>> Mapped to [FB6] (using PAC)
>>> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133)
>>> Finding user FB6+AdmMJ
>>> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77)
>>> Trying _Get_Pwnam(), username as lowercase is fb6+admmj
>>> [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110)
>>> Get_Pwnam_internals did find user [FB6+AdmMJ]!
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472)
>>> smb_pam_start: PAM: Init user: admmj
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489)
>>> smb_pam_start: PAM: setting rhost to: 132.195.123.104
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498)
>>> smb_pam_start: PAM: setting tty
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506)
>>> smb_pam_start: PAM: Init passed for user: admmj
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564)
>>> smb_pam_account: PAM: Account Management for User: admmj
>>> [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571)
>>> smb_pam_account: PAM: User admmj no longer permitted to access system
>>> [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77)
>>> smb_pam_error_handler: PAM: Account Check Failed : User account has
>>> expired
>>> [2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794)
>>> smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
>>> admmj!
>>> [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450)
>>> smb_pam_end: PAM: PAM_END OK.
>>> ---------------------------------------------------------------------------
>>>
>>> ------
>>>
>>>
>> Hey, Volker. It's been awhile. Couple of questions:
>>
>> 1) What does /etc/pam.conf look like and
>>
>> 2) What does /opt/pware/lib/fbb-projekte.conf look like?
>>
>>
>> Glad to see you are still using the pWare stuff. :-) :-) How is your
>> cluster testing going? I need to contact Miguel again to see how he is
>> making out.
>>
>> Cheers,
>> Bill
>>
>>
>>> An error log, debug level 10 is available on request.
>>>
>>> Kind regards
>>>
>>> Volker
>>>
>>>
>>> SMB.CONF
>>> ---------------------------------------------------------------------------
>>>
>>> ---
>>> [global]
>>>
>>> # --------------------------------------------------------
>>> # setting base configuration parameters
>>> #
>>> # --------------------------------------------------------
>>> workgroup = FB6
>>> netbios name = FRIGG
>>> server string = AFS-2
>>> security = ADS
>>> realm = FB6.UNI-WUPPERTAL.DE
>>> auth methods = winbind
>>> # password server = AD logon server
>>> password server = 132.195.120.9 132.195.120.12
>>> wins server = 132.195.120.12
>>> client use spnego = yes
>>> client signing = yes
>>> # added wg. ticket #5344
>>> #client lanman auth = no
>>> #client ntlmv2 auth = yes
>>> encrypt passwords = yes
>>> host msdfs = no
>>> #domain logons = yes
>>>
>>> # fuer Samba 3.3.0
>>> # damit keine verschluesselte Verbindung zum Domain Controller
>>> # aufgebaut wird
>>> ldap ssl = no
>>>
>>> # ---------------------------------------------------------
>>> # printer settings
>>> # ??? better disable these settings ???
>>> # ---------------------------------------------------------
>>> # printcap name = cups
>>> # disable spoolss = Yes
>>> # show add printer wizard = No
>>>
>>> # ---------------------------------------------------------
>>> # ID mapping parameters
>>> # mapping windows users to unix users
>>> # this is performed on the basis of sid on windows and
>>> # unix with uid for users and gid for groups
>>> # the backend parameter rid allows to get the same mapping
>>> # form sid to uid because it is determined algorithmically
>>> # that way we get the same mapping even if we use samba on
>>> # several disparate systems
>>> # CHANGE NOTIFICATIO: with v3.3.0 there are changes
>>> # to idmap; idmap domains is no longer supported
>>> # ---------------------------------------------------------
>>> #idmap domains = FB6
>>> #idmap backend = rid
>>> idmap backend = tdb
>>> idmap config FB6:backend = rid
>>> #idmap config FB6:base_rid = 0
>>> idmap config FB6:range = 10000 - 49999
>>> idmap uid = 10000-49999
>>> idmap gid = 10000-49999
>>>
>>> winbind separator =+
>>> winbind use default domain = Yes
>>> winbind enum users = no
>>> winbind enum groups = no
>>> winbind cache time = 60
>>> winbind gid = 10000-49999
>>> winbind uid = 10000-49999
>>>
>>> template homedir = /gpfs/fbb/user/%U
>>> template shell = /opt/pware/bin/bash
>>> #use sendfile = Yes
>>> #printing = cups
>>> #ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"
>>>
>>> #-------------------------------------------------------
>>> # Logging options
>>> #
>>> #-------------------------------------------------------
>>> #
>>> # higher log levels have a negative impact on performance
>>> log level = 10
>>> log file = /opt/pware/var/log/samba.log.%m
>>> max log size = 5000000
>>> debug timestamp = yes
>>> obey pam restrictions = yes
>>> #utmp = yes
>>>
>>> #-------------------------------------------------------
>>> # ACL Support
>>> #
>>> #-------------------------------------------------------
>>> map acl inherit = yes
>>> nt acl support = yes
>>> inherit acls = yes
>>> inherit permissions = yes
>>> inherit owner = yes
>>> admin users = @"FB6+domain admins"
>>>
>>> #-------------------------------------------------------
>>> # Performance options
>>> #
>>> #-------------------------------------------------------
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>>> include = /opt/pware/lib/fbb-projekte.conf
>>>
>>>
>
>
More information about the samba
mailing list