I am using PAM and pam_smbpass.so with Samba 2.999 (Debian sid package).
If, in /etc/pam.d/samba, I set
session required pam_smbpass.so
then login fails, and the log says:
[2002/08/04 15:43:26, 0] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: session setup failed : Module is unknown
[2002/08/04 15:43:26, 1] smbd/session.c:session_claim(103)
pam_session rejected the session for ichbin [smb/1]
[2002/08/04 15:43:26, 1] smbd/password.c:register_vuid(285)
Failed to claim session for vuid=101
If I set
session required pam_permit.so
then there is no problem, although auth, account, and password are still
set to use pam_smbpass.so.
Does this mean pam_smbpass doesn't implement session? If so, what should
I use instead? If not, what is going on here?
David Wright wrote:> > I am using PAM and pam_smbpass.so with Samba 2.999 (Debian sid package). > > If, in /etc/pam.d/samba, I set > session required pam_smbpass.so > then login fails, and the log says: > [2002/08/04 15:43:26, 0] auth/pampass.c:smb_pam_error_handler(73) > smb_pam_error_handler: PAM: session setup failed : Module is unknown > [2002/08/04 15:43:26, 1] smbd/session.c:session_claim(103) > pam_session rejected the session for ichbin [smb/1] > [2002/08/04 15:43:26, 1] smbd/password.c:register_vuid(285) > Failed to claim session for vuid=101 > > If I set > session required pam_permit.so > then there is no problem, although auth, account, and password are still > set to use pam_smbpass.so.Well, there isn't any point. In Samba '2.999' aka HEAD snapshot Samba will never call PAM for authenticaion when 'encrypt passwords = yes', and while it will use pam for 'account' controls, it won't gain you anything - its the same checks that are already done. And if you have an smbpasswd file, ten I'll assume you are using encrypted passwords :-) (Well, there is a point if you are using SWAT, but other than that, there isn't any point)> Does this mean pam_smbpass doesn't implement session? If so, what should > I use instead? If not, what is going on here?Indeed, pam_smbpass does not implement 'session' as there is no logical action that is should perform. pam_unix is probably a good choice. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
> > Well, there isn't any point. In Samba '2.999' aka HEAD snapshot Samba > will never call PAM for authenticaion when 'encrypt passwords = yes', > and while it will use pam for 'account' controls, it won't gain you > anything - its the same checks that are already done.Well, in 2.2.5, I can use "obey pam restrictions = yes" with winbind to create home directories via pam_mkhomedir. Are you saying 1)This won't work in 3.0 2)Samba does this (creating the homedir) already 3)"obey pam restrictions = yes" is effectively set (thus my: session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 in /etc/pam.d/samba will work anyway)? Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7