[Samba] Locking SAMBA ccounts with LDAP backend

Michael Starling mlstarling31 at hotmail.com
Tue Jul 12 08:26:17 MDT 2011

Thanks for the reply. This is what my system-auth looks like now:

Where would you suggest I place the auth pam_winbind.so statement?

auth        required      pam_env.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0027

> Date: Tue, 12 Jul 2011 23:20:21 +0900
> To: mlstarling31 at hotmail.com
> CC: samba at lists.samba.org
> Subject: Re: [Samba] Locking SAMBA ccounts with LDAP backend
> From: monyo at monyo.com
> From: Michael Starling <mlstarling31 at hotmail.com>
> Date: Sun, 10 Jul 2011 08:18:52 -0400
> > Hello. Is it possible to have SAMBA respect PAM so that when an LDAP
> > accounts gets locked out the SAMBA account simultaneously gets
> > locked out as well? 
> As far as I examined on Samba 3.5.6 on Lenny, to set 
> -----
> auth pam_winbind.so
> -----
> and "obey pam restrictions = yes", then the locked user cannot logon
> to Samba server.
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list