Roger Aas
2004-Jun-23 08:18 UTC
[Samba] Two tricky problems with Samba and pam_mkhomedir.so
I have a mail services setup that have given me two problems I am not able to solve myself, and can find no solutions to on the internet (google, mailing-list archives et.al.)... 1 - Users logging in with a mix of upper and lowercase letters creates different home directories for each new variation they manages to come up with. 2 - The home directories are to be created by pam_mkhomedir.so, but I have to set the base directory to chmod 777 for that module to be able to create the users directory. The setup: We moved our email service for the students over to a Red Hat Enterprise Linux 3 AS Update 2 server configured this way: Samba (samba-3.0.2-6.3E) in ADS mode for authentication with AD. IMAP (imap-2002d-8) with PAM (pam-0.75-54) setup for winbind and mkhomedir. Squirrelmail (squirrelmail-1.4.3-0.e3.1) for webmail. (Apache and PHP req.) Sendmail (sendmail-8.12.11-3.3) for incoming and outgoing email. Users will only connect to this server via Squirrelmail (i.e. IMAP) or directly to IMAP. No other services will be available. This setup "works" and is actually in production, but I have these two problems that would be nice to sort out. Problem one: Samba (through IMAP->PAM->WINBIND->AD) authenticates the user roger, Roger, ROGER, RoGeR as the same user. But when PAM runs mkhomedir with the username it makes a new directory for all of these variations of the username. In Linux (Unix) the case does matter for directories. I could probably go into the PHP scripts of Squirrelmail to make a $username = tolower($username) or something like that, but that will not help for users that sets up their own imap client. I could probably instead look at the source for mkhomedir or imap and try to find out what to change there. Is there someone that have solved a problem like this before? What did they do? Someone at the Samba team have some ideas? Is there a way to deny authentication in winbind when someone uses uppercase letters (force them to use lowercase)? Problem two: I can not make mkhomedir create users home directories without making the base directory world-writeable (mkdir /home/DOMAIN; chmod 777 /home/DOMAIN). Any resolutions to this? Since the users are not given login access this is no big problem, but it would be nice if it was fixed. (This question belongs in some PAM mail-list I guess, but I am sure someone here knows how to fix this...) :-) Thanks, Roger Detailed setup: # rm -f /etc/krb5.conf (Kerberos uses information from DNS) # vi /etc/samba/smb.conf [global] netbios name = SERVER workgroup = DOMAIN realm = DOMAIN.COLLEGE.EDU ldap ssl = no idmap uid = 10000-50000 idmap gid = 10000-50000 template homedir = /home/%D/%U template shell = /sbin/nologin winbind separator = + winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes obey pam restrictions = Yes server string = Student Mailserver hosts allow = 10. 127. log file = /var/log/samba/%m.log max log size = 50 security = ADS password server = 10.0.0.1 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 10.0.0.1 dns proxy = no local master = no preferred master = no os level = 0 # vi /etc/pam.d/imap #%PAM-1.0 auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth account sufficient pam_winbind.so account required pam_stack.so service=system-auth session required pam_mkhomedir.so # vi /etc/nsswitch.conf (Only relevant lines) passwd: files winbind shadow: files winbind group: files winbind # net ads join -U Administrator # mkdir /home/DOMAIN; chmod 777 /home/DOMAIN