[Samba] another question about account locking

TAKAHASHI Motonobu monyo at monyo.com
Thu Jan 13 11:38:05 MST 2011

2011/1/14 Kevin Taylor <groucho.64738 at hotmail.com>:
> Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to turn on 'encrypt
> passwords=yes' which bypasses the pam checking.

Have you actually tried it?

To set "obey pam restrictions = yes",  Samba obeys PAM's restriction.

For example, try:

 (encrypt passwords = yes) -- default value, so not to need to set explicitly
  obey pam restrictions = yes

  writeable = yes
  browseable = no

Usually, an user can  access the homes share with valid password, but if you
set pam_deny.so correctly in system-auth, common-account or such a file, then
anyone can logon and you can see the error messages:

[2011/01/14 03:24:00,  0] auth/pampass.c:smb_pam_accountcheck(792)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo!

TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list