Message follows this disclaimer
--------------------------------------------------------------------------------------------------
This email and any files transmitted with it is confidential and intended solely
for the person or organisation to whom it is addressed. If you are not the
intended recipient, you must not read, copy or disseminate the information
or take any action in reliance on it and it would be appreciated if you would
also notify the sender by reply email and then delete this email immediately.
All messages passing out of this gateway are checked for viruses but
Dundee City Council strongly recommends that you check for viruses using
your own virus scanner as the Council will not take responsibility for any
damage caused as a result of virus infection.
--------------------------------------------------------------------------------------------------
Sorry if this is a simple question but I have been struggling for many days
trying to samba-3.0.2rc2 working with a win2k AD
wbinfo -t works
wbinfo -u works
wbinfo -g works
getent passwd username works
sharing dirs works
in fact everything seems to work with the exception of a users directory being
created using pam_mkhomedir.so
I am running on Redhat 9 with Samba 3.0.2rc2
Samba was built using the following options configure --with-quotas --with-pam
I presume it is something wrong with my pam config which follows
#%PAM-1.0
auth required pam_securetty.so
#auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_env.so
auth required pam_unix.so nullok use_first_pass
account sufficient pam_winbind.so
account required pam_unix.so
#account required pam_stack.so service=system-auth
#password required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
#session optional pam_console.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
password required pam_unix.so nullok obscure min=4 max=8
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
I have tried many varations of this file from various postings but all to no
avail
the relevant part of smb.conf follow
# Global parameters
[global]
workgroup = LEARNINGDOMAIN
realm = LEARNINGDOMAIN.ORG
server string = %L running Samba %v
security = ADS
obey pam restrictions = Yes
password server = pdc.learningdomain.org
passwd program = /usr/bin/passwd %u
unix password sync = Yes
log level = 3
log file = /var/log/samba/log.%m
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = +
[shares]
force create mode = 0660
force directory mode = 0770
[homes]
path = /home/%D/%U
browseable = no
read only = no
create mask = 0600
directory mask = 0700
writable = yes
if I try su - DOMAIN+Username from a shell prompt
I get the following reply
[root@store01 pam.d]# su - LEARNINGDOMAIN+Administrator
su: warning: cannot change directory to /home/LEARNINGDOMAIN/Administrator: No
such file or directory
-bash-2.05b$
So I get logged in but I remain in the current working directory
any advice gratefully received
Tim
I'm using RedHat 9.0 and it works, here is what my files look like -
/etc/pam.d/login looks like this - The authconfig tool in RedHat did
everything except the pam_mkhomedir.so bit.
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_UNIX.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_mkhomedir.so umask=0022
session optional pam_console.so
My /etc/pam.d/gdm looks like this -
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/pam.d/system-auth looks like this -
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
I also use 'winbind use default domain = yes' in smb.conf.
Sapan
-----Original Message-----
From: Tim Simpson [mailto:tsimpson@dundeecity.gov.uk]
Sent: 03 February 2004 16:41
To: samba@lists.samba.org
Subject: [Samba] How do I get pam_mkhomedir to work
Message follows this disclaimer
----------------------------------------------------------------------------
----------------------
This email and any files transmitted with it is confidential and intended
solely for the person or organisation to whom it is addressed. If you are
not the intended recipient, you must not read, copy or disseminate the
information or take any action in reliance on it and it would be appreciated
if you would also notify the sender by reply email and then delete this
email immediately. All messages passing out of this gateway are checked for
viruses but
Dundee City Council strongly recommends that you check for viruses using
your own virus scanner as the Council will not take responsibility for any
damage caused as a result of virus infection.
----------------------------------------------------------------------------
----------------------
Sorry if this is a simple question but I have been struggling for many days
trying to samba-3.0.2rc2 working with a win2k AD
wbinfo -t works
wbinfo -u works
wbinfo -g works
getent passwd username works
sharing dirs works
in fact everything seems to work with the exception of a users directory
being created using pam_mkhomedir.so
I am running on Redhat 9 with Samba 3.0.2rc2
Samba was built using the following options configure --with-quotas
--with-pam
I presume it is something wrong with my pam config which follows
#%PAM-1.0
auth required pam_securetty.so
#auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_env.so
auth required pam_unix.so nullok use_first_pass
account sufficient pam_winbind.so
account required pam_unix.so
#account required pam_stack.so service=system-auth
#password required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
#session optional pam_console.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
password required pam_unix.so nullok obscure min=4 max=8 session required
pam_unix.so session optional pam_lastlog.so session optional pam_motd.so
session optional pam_mail.so standard noenv
I have tried many varations of this file from various postings but all to no
avail
the relevant part of smb.conf follow
# Global parameters
[global]
workgroup = LEARNINGDOMAIN
realm = LEARNINGDOMAIN.ORG
server string = %L running Samba %v
security = ADS
obey pam restrictions = Yes
password server = pdc.learningdomain.org
passwd program = /usr/bin/passwd %u
unix password sync = Yes
log level = 3
log file = /var/log/samba/log.%m
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = +
[shares]
force create mode = 0660
force directory mode = 0770
[homes]
path = /home/%D/%U
browseable = no
read only = no
create mask = 0600
directory mask = 0700
writable = yes
if I try su - DOMAIN+Username from a shell prompt
I get the following reply
[root@store01 pam.d]# su - LEARNINGDOMAIN+Administrator
su: warning: cannot change directory to /home/LEARNINGDOMAIN/Administrator:
No such file or directory -bash-2.05b$
So I get logged in but I remain in the current working directory
any advice gratefully received
Tim
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
On 3 Feb 2004, Tim Simpson wrote:> Message follows this disclaimer > -------------------------------------------------------------------------------------------------- > This email and any files transmitted with it is confidential and intended solely > for the person or organisation to whom it is addressed.This mail is not addressed to me, may I read it? ;-)> Sorry if this is a simple question but I have been struggling for many days > trying to samba-3.0.2rc2 working with a win2k AD > > wbinfo -t works > wbinfo -u works > wbinfo -g works > > getent passwd username works > > sharing dirs works > > in fact everything seems to work with the exception of a users directory being > created using pam_mkhomedir.so > > I am running on Redhat 9 with Samba 3.0.2rc2 > > Samba was built using the following options configure --with-quotas --with-pam > > I presume it is something wrong with my pam config which follows > > #%PAM-1.0 > auth required pam_securetty.so > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > auth sufficient pam_winbind.so > auth required pam_env.so > auth required pam_unix.so nullok use_first_pass > account sufficient pam_winbind.so > account required pam_unix.so > #account required pam_stack.so service=system-auth > #password required pam_stack.so service=system-auth > #session required pam_stack.so service=system-auth > #session optional pam_console.so > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 > password required pam_unix.so nullok obscure min=4 max=8 > session required pam_unix.so > session optional pam_lastlog.so > session optional pam_motd.so > session optional pam_mail.so standard noenv > > I have tried many varations of this file from various postings but all to no > avail > > the relevant part of smb.conf follow > > # Global parameters > [global] > workgroup = LEARNINGDOMAIN > realm = LEARNINGDOMAIN.ORG > server string = %L running Samba %v > security = ADS > obey pam restrictions = Yes > password server = pdc.learningdomain.org > passwd program = /usr/bin/passwd %u > unix password sync = Yes > log level = 3 > log file = /var/log/samba/log.%m > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > template shell = /bin/bash > winbind separator = + > [shares] > force create mode = 0660 > force directory mode = 0770 > [homes] > path = /home/%D/%U > browseable = no > read only = no > create mask = 0600 > directory mask = 0700 > writable = yes > > > > if I try su - DOMAIN+Username from a shell prompt > > I get the following reply > > [root@store01 pam.d]# su - LEARNINGDOMAIN+Administrator > su: warning: cannot change directory to /home/LEARNINGDOMAIN/Administrator: No > such file or directory > -bash-2.05b$ >pam_mkhomedir doesn't make deep directories ... does /home/LEARNINGDOMAIN exist? And, you don't mention which pam config file you are editing, but it is most likely more useful to do this in system-auth, then if you set 'obey pam restrictions = yes' in smb.conf, samba will even make the home directories (or any app pam application with session support ... Regards, Buchan
I just got this working today, thanks to Andy from the BBC. Here is what my pam.conf looks like, warts and all! # #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_winbind.so login auth requisite pam_authtok_get.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug login auth sufficient pam_dhkeys.so.1 debug login auth sufficient pam_unix_auth.so.1 debug login auth sufficient pam_dial_auth.so.1 debug #login auth sufficient /usr/lib/security/pam_winbind.so.1 debug try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth required pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 debug rlogin auth requisite pam_authtok_get.so.1 debug rlogin auth sufficient pam_dhkeys.so.1 debug rlogin auth sufficient pam_unix_auth.so.1 debug #rlogin auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 debug rsh auth required pam_unix_auth.so.1 debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 debug ppp auth required pam_dhkeys.so.1 debug ppp auth required pam_unix_auth.so.1 debug ppp auth required pam_dial_auth.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient pam_winbind.so other auth requisite pam_authtok_get.so.1 debug other auth sufficient pam_dhkeys.so.1 debug other auth sufficient pam_unix_auth.so.1 debug #other auth sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 debug cron account required pam_unix_account.so.1 debug # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_winbind.so other account requisite pam_roles.so.1 debug other account sufficient pam_projects.so.1 debug other account sufficient pam_unix_account.so.1 debug #other account sufficient /usr/lib/security/pam_winbind.so.1 debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_mkhomedir.so skel=/etc/skel umask=0022 other session required pam_unix_session.so.1 debug other session sufficient /usr/lib/security/pam_winbind.so.1 try_first_pass debug #other session required pam_mkhomedir.so.1 debug skel=/etc/skel umask=0022 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 debug other password requisite pam_authtok_get.so.1 debug other password requisite pam_authtok_check.so.1 debug other password required pam_authtok_store.so.1 debug # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass -----Original Message----- From: Buchan Milne [mailto:bgmilne@obsidian.co.za] Sent: 04 February 2004 16:17 To: Tim Simpson Cc: samba@lists.samba.org Subject: Re: [Samba] How do I get pam_mkhomedir to work On 3 Feb 2004, Tim Simpson wrote:> Message follows this disclaimer > ---------------------------------------------------------------------- > ---------------------------- > This email and any files transmitted with it is confidential and intendedsolely> for the person or organisation to whom it is addressed.This mail is not addressed to me, may I read it? ;-)> Sorry if this is a simple question but I have been struggling for many > days trying to samba-3.0.2rc2 working with a win2k AD > > wbinfo -t works > wbinfo -u works > wbinfo -g works > > getent passwd username works > > sharing dirs works > > in fact everything seems to work with the exception of a users > directory being created using pam_mkhomedir.so > > I am running on Redhat 9 with Samba 3.0.2rc2 > > Samba was built using the following options configure --with-quotas--with-pam> > I presume it is something wrong with my pam config which follows > > #%PAM-1.0 > auth required pam_securetty.so > #auth required pam_stack.so service=system-auth > auth required pam_nologin.so > auth sufficient pam_winbind.so > auth required pam_env.so > auth required pam_unix.so nullok use_first_pass > account sufficient pam_winbind.so > account required pam_unix.so > #account required pam_stack.so service=system-auth > #password required pam_stack.so service=system-auth > #session required pam_stack.so service=system-auth > #session optional pam_console.so > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ > umask=0022 password required pam_unix.so nullok obscure min=4 max=8 > session required pam_unix.so session optional pam_lastlog.so > session optional pam_motd.so > session optional pam_mail.so standard noenv > > I have tried many varations of this file from various postings but all > to no avail > > the relevant part of smb.conf follow > > # Global parameters > [global] > workgroup = LEARNINGDOMAIN > realm = LEARNINGDOMAIN.ORG > server string = %L running Samba %v > security = ADS > obey pam restrictions = Yes > password server = pdc.learningdomain.org > passwd program = /usr/bin/passwd %u > unix password sync = Yes > log level = 3 > log file = /var/log/samba/log.%m > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > template shell = /bin/bash > winbind separator = + > [shares] > force create mode = 0660 > force directory mode = 0770 > [homes] > path = /home/%D/%U > browseable = no > read only = no > create mask = 0600 > directory mask = 0700 > writable = yes > > > > if I try su - DOMAIN+Username from a shell prompt > > I get the following reply > > [root@store01 pam.d]# su - LEARNINGDOMAIN+Administrator > su: warning: cannot change directory to > /home/LEARNINGDOMAIN/Administrator: No such file or directory > -bash-2.05b$ >pam_mkhomedir doesn't make deep directories ... does /home/LEARNINGDOMAIN exist? And, you don't mention which pam config file you are editing, but it is most likely more useful to do this in system-auth, then if you set 'obey pam restrictions = yes' in smb.conf, samba will even make the home directories (or any app pam application with session support ... Regards, Buchan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba