samba - Dec 2005 - pam_mkhomedir.so problem

Hello Samba People,

I'm doing some tests with samba on a debian Sarge in order to implement a
file server
with the recycle bin module, so my smb.conf loks like this :

[global]
  workgroup = HOME

  server string = %h server (Samba %v)
  preferred master = no

  realm = home.local
  security = ADS

  encrypt passwords = true
  password server = 192.168.0.15

  socket options = TCP_NODELAY

# winbindd configuration
  winbind separator = _
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%U
  template shell = /bin/false

  dns proxy = no
  log file = /var/log/samba/log.%m.%U
  log level = 2 vfs: 3
  max log size = 2048
  syslog = 0
  panic action = /usr/share/samba/panic-action %d

[homes]
  comment = Home Directories
  browseable = no
  writable = yes
  create mask = 0700
  directory mask = 0700

[share]
  path = /home/share
  comment = Share Directories
  browseable = yes
  writable = yes
  create mask = 0777
  directory mask = 0777
  vfs objects = extd_audit recycle
    recycle:exclude = *.tmp,*.temp
    recycle:keeptree = yes
    recycle:repository = /home/recycle/%U
    recycle:touch = yes
    recycle:versions = yes

I edited /etc/pam.d/samba, which now looks like :

account    required    pam_unix.so
password sufficient   pam_winbind.so use_authtok
auth         required    pam_unix.so nullok_secure
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
@include common-auth
@include common-account
@include common-session

Everything works super except the "pam_mkhomedir.so" module, which
does not
create the /home/%USERNAME% folder automaticaly ...
In the log samba sais that /home/X does not exist ... and this folder is not
created ...
If I create it manualy and give appropiate rights, it works as it shood ...

Where is the problem ?

--
All parts should go together without forcing. "You must remember that the
parts you are reassembling were disassembled by you. Therefore, if you can't
get them together again, there must be a reason. By all means, do not use a
hammer." -- IBM maintenance manual, 1975

Hello Samba People,

I'm doing some tests with samba on a debian Sarge in order to implement a
file server
with the recycle bin module, so my smb.conf loks like this :

[global]
  workgroup = HOME

  server string = %h server (Samba %v)
  preferred master = no

  realm = home.local
  security = ADS

  encrypt passwords = true
  password server = 192.168.0.15

  socket options = TCP_NODELAY

# winbindd configuration
  winbind separator = _
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%U
  template shell = /bin/false

  dns proxy = no
  log file = /var/log/samba/log.%m.%U
  log level = 2 vfs: 3
  max log size = 2048
  syslog = 0
  panic action = /usr/share/samba/panic-action %d

[homes]
  comment = Home Directories
  browseable = no
  writable = yes
  create mask = 0700
  directory mask = 0700

[share]
  path = /home/share
  comment = Share Directories
  browseable = yes
  writable = yes
  create mask = 0777
  directory mask = 0777
  vfs objects = extd_audit recycle
    recycle:exclude = *.tmp,*.temp
    recycle:keeptree = yes
    recycle:repository = /home/recycle/%U
    recycle:touch = yes
    recycle:versions = yes

I edited /etc/pam.d/samba, which now looks like :

account    required    pam_unix.so
password sufficient   pam_winbind.so use_authtok
auth         required    pam_unix.so nullok_secure
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
@include common-auth
@include common-account
@include common-session

Everything works super except the "pam_mkhomedir.so" module, which
does not
create the /home/%USERNAME% folder automaticaly ...
In the log samba sais that /home/X does not exist ... and this folder is not
created ...
If I create it manualy and give appropiate rights, it works as it shood ...

Where is the problem ?

--
All parts should go together without forcing. "You must remember that the
parts you are reassembling were disassembled by you. Therefore, if you can't
get them together again, there must be a reason. By all means, do not use a
hammer." -- IBM maintenance manual, 1975

Hello;
> session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077

Well I use optional in 
session optional /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ 
umask=0022


I had the same problem. Initial login runs as user, no as root, and have no 
rights for writing.

See, for example, man sshd_config:

     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an 
unprivileged child process to deal with incoming network traffic.
             After successful authentication, another process will be created 
that has the privilege of the authenticated user.  The goal
             of privilege separation is to prevent privilege escalation by 
containing any corruption within the unprivileged processes.
             The default is "yes".

Set apropiate chmod to /home. I used /home/samba/ for on the fly home 
directories and did not change /home permissions.


Pedrop


http://dns.bdat.net