[Samba] ADS, pam_winbind and vsftpd
Stefan G. Weichinger
lists at xunil.at
Thu Nov 5 02:09:39 MST 2009
Greets ... I am not getting it.
I have samba (old one, 3.0.22-11-SUSE-CODE10) in an ADS-context, winbind
works OK ...
I am trying to connect vsftpd to winbind via PAM, this works TOO GOOD ;-)
currently I am able to login to vsftpd with ANY password, that's bad.
I am not understanding that PAM-stuff and I have some pressure to get
that ftp-server up, so please would someone help me out?
This one is heavily edited now, as I played trial and error for hours.
# cat /etc/pam.d/vsftpd
# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_shells.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_limits.so
session required pam_unix2.so
The logs show (I used a correct user and a wrong password):
Nov 5 09:55:25 comm01 vsftpd: Thu Nov 5 09:55:25 2009 [pid 6323]
CONNECT: Client "MY.IP.HERE"
Nov 5 09:55:32 comm01 pam_winbind: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Nov 5 09:55:32 comm01 pam_winbind: user `DOM\user' denied access
(incorrect password or invalid membership)
Nov 5 09:55:32 comm01 pam_winbind: user 'DOM\user' OK
Nov 5 09:55:32 comm01 pam_winbind: user 'DOM\user' granted access
Why does it deny first and then grant access anyway?
Is it a bug in the old samba-release or just my mistake?
Thanks for any help on this, I just don't see it ...
More information about the samba