Basically, this is going to be just a question to see if what I want to do can be done, since I have had no luck in doing it so far... I have set up a 2.2.3a domain controller, and I can join Windows XP clients to the domain, and log in as domain users. I want to use PAM to enforce account restrictions, such as login time using pam_time. I currently have the *stacked* version of the /etc/pam.d/samba file installed, and I have modified my /etc/pam.d/system-auth file to look as such: --cut account requisite /lib/security/pam_time.so account required /lib/security/pam_unix.so --cut I have a feeling that the restrictions are working partially, since in my syslog I am getting log entries to the effect of "'user' is not authorized to log in at this time"... however, Windows is still allowing me to login as if nothing is wrong. The only side effect of logging in my XP workstation outside the permitted times is that I'm not able to connect to shares, like the one defined for roaming profiles... Windows bitches about not being able to load my profile. Does anyone have any ideas? Has this been done before? Can it be done, or will I be forced to actually use a Win2k Domain Controller when I would rather not? Thanks for any help, gary_richter@nfuel.com Gary
"Richter, Gary" wrote:> > Basically, this is going to be just a question to see if what I want to do > can be done, since I have had no luck in doing it so far... > > I have set up a 2.2.3a domain controller, and I can join Windows XP clients > to the domain, and log in as domain users. > I want to use PAM to enforce account restrictions, such as login time using > pam_time. I currently have the *stacked* version of the /etc/pam.d/samba > file installed, and I have modified my /etc/pam.d/system-auth file to look > as such: > > --cut > > account requisite /lib/security/pam_time.so > account required /lib/security/pam_unix.so > > --cut > > I have a feeling that the restrictions are working partially, since in my > syslog I am getting log entries to the effect of "'user' is not authorized > to log in at this time"... however, Windows is still allowing me to login as > if nothing is wrong. The only side effect of logging in my XP workstation > outside the permitted times is that I'm not able to connect to shares, like > the one defined for roaming profiles... Windows bitches about not being able > to load my profile. > > Does anyone have any ideas? Has this been done before? Can it be done, or > will I be forced to actually use a Win2k Domain Controller when I would > rather not?This is meant to work, but it could well be buggy, or the NTSTATUS code we are sending might not match up with the effect desired. You could try HEAD (Samba 3.0 alpha) as it has a compleatly re-written authentication subsystem. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
I managed to get this working. The fix (whether it's the best way to do this or not would require input from someone with more PAM knowledge) was this: I modified my /etc/pam.d/samba (NOT /etc/pam.d/system-auth) file to look as such: --cut account required /lib/security/pam_time.so account required /lib/security/pam_unix.so --cut With this configuration, entries can be made in the /etc/security/time.conf containing the desired time restrictions. The service referenced for these restrictions would be "samba". If logging on outside of the permitted times, Windows kicks back the error "Unable to login due to an account restriction". Problem solved as far as I'm concerned. Thanks :) -----Original Message----- From: Andrew Bartlett [mailto:abartlet@pcug.org.au] Sent: Tuesday, March 05, 2002 12:34 PM To: Richter, Gary Cc: samba@lists.samba.org Subject: Re: [Samba] Problems with Samba 2.2.3a DC and PAM "Richter, Gary" wrote:> > Basically, this is going to be just a question to see if what I want to do > can be done, since I have had no luck in doing it so far... > > I have set up a 2.2.3a domain controller, and I can join Windows XPclients> to the domain, and log in as domain users. > I want to use PAM to enforce account restrictions, such as login timeusing> pam_time. I currently have the *stacked* version of the /etc/pam.d/samba > file installed, and I have modified my /etc/pam.d/system-auth file to look > as such: > > --cut > > account requisite /lib/security/pam_time.so > account required /lib/security/pam_unix.so > > --cut > > I have a feeling that the restrictions are working partially, since in my > syslog I am getting log entries to the effect of "'user' is not authorized > to log in at this time"... however, Windows is still allowing me to loginas> if nothing is wrong. The only side effect of logging in my XP workstation > outside the permitted times is that I'm not able to connect to shares,like> the one defined for roaming profiles... Windows bitches about not beingable> to load my profile. > > Does anyone have any ideas? Has this been done before? Can it be done, or > will I be forced to actually use a Win2k Domain Controller when I would > rather not?This is meant to work, but it could well be buggy, or the NTSTATUS code we are sending might not match up with the effect desired. You could try HEAD (Samba 3.0 alpha) as it has a compleatly re-written authentication subsystem. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net