[Samba] Is “obey pam restrictions” still supposed to work in Samba 4?

Chentao Credungtao chentaocredungtao at yahoo.com
Wed Feb 10 21:03:12 UTC 2021


The up-to-date Samba doc says 
(https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html) :

"When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), 
this parameter will control whether or not Samba should obey PAM's 
account and session management directives."

Is this still supposed to work with Samba 4 ? I had some strange result, 
it seems PAM's restrictions are enforced once, but then not anymore.

I tried to set up a file-size limitation on a Samba share. I'm not 
talking about quotas, I'm talking about preventing users from storing 
files that are bigger than 100MB, for example. I used 
/etc/security/limits.conf for this.

It almost works. Well, it works the first time a user tries to create a 
file, and then not anymore.

Here's what I did :

     - First I defined a hard filesize limit of 100MB for user johndoe 
in /etc/security/limits.conf :    "johndoe    hard fsize    102400"

     - Then I added "session required pam_limits.so" to 
/etc/pam.d/samba, in order to tell PAM to enforce the limitations

     - And finally, I added "obey pam restrictions = yes" to 

At first it seemed promising, when user johndoe tries to copy a file > 
100MB, a Windows 10 client throws the following error : An unexpected 
error is keeping you from copying the file...An unexpected network error 

So far, so good ! That's what I wanted, prevent the user to store a file 
 > 100MB

But if I click on "Try again", the file is copied anyway.

And if I then try to copy more files > 100MB, no more error message is 
thrown, and the copies proceed.

If user johndoe logs out and back in, same result : the first attempt 
throws an error, the following attempts succeed.

So, it seems the restriction I set in /etc/security/limits.conf is only 
enforced at the first attempt, and is no more enforced afterwards.

Any idea why ? Or any idea how I could achieve my goal (prevent a user 
to copy a file > 100MB) ?

More information about the samba mailing list