[Samba] another question about account locking

Kevin Taylor groucho.64738 at hotmail.com
Thu Jan 13 11:48:44 MST 2011 


I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway.

On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication)

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. 

I'll have to reconfigure a couple of things to double check on share accesses, but it's really the interactive logins I need to lock.

Sorry if I'm being difficult about it. :)



> Date: Fri, 14 Jan 2011 03:38:05 +0900
> Subject: Re: [Samba] another question about account locking
> From: monyo at monyo.com
> To: groucho.64738 at hotmail.com
> CC: samba at lists.samba.org
> 
> 2011/1/14 Kevin Taylor <groucho.64738 at hotmail.com>:
> > Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to turn on 'encrypt
> > passwords=yes' which bypasses the pam checking.
> 
> Have you actually tried it?
> 
> To set "obey pam restrictions = yes",  Samba obeys PAM's restriction.
> 
> For example, try:
> 
> -----
> [global]
>  (encrypt passwords = yes) -- default value, so not to need to set explicitly
>   obey pam restrictions = yes
> 
> [homes]
>   writeable = yes
>   browseable = no
> -----
> 
> Usually, an user can  access the homes share with valid password, but if you
> set pam_deny.so correctly in system-auth, common-account or such a file, then
> anyone can logon and you can see the error messages:
> 
> -----
> [2011/01/14 03:24:00,  0] auth/pampass.c:smb_pam_accountcheck(792)
>   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo!
> -----
> 
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list