Greets ... I am not getting it. I have samba (old one, 3.0.22-11-SUSE-CODE10) in an ADS-context, winbind works OK ... I am trying to connect vsftpd to winbind via PAM, this works TOO GOOD ;-) currently I am able to login to vsftpd with ANY password, that's bad. I am not understanding that PAM-stuff and I have some pressure to get that ftp-server up, so please would someone help me out? My file: This one is heavily edited now, as I played trial and error for hours. # cat /etc/pam.d/vsftpd #%PAM-1.0 # Uncomment this to achieve what used to be ftpd -A. # auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_shells.so account sufficient pam_winbind.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_limits.so session required pam_unix2.so --- The logs show (I used a correct user and a wrong password): Nov 5 09:55:25 comm01 vsftpd: Thu Nov 5 09:55:25 2009 [pid 6323] CONNECT: Client "MY.IP.HERE" Nov 5 09:55:32 comm01 pam_winbind[6322]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD Nov 5 09:55:32 comm01 pam_winbind[6322]: user `DOM\user' denied access (incorrect password or invalid membership) Nov 5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' OK Nov 5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' granted access Why does it deny first and then grant access anyway? Is it a bug in the old samba-release or just my mistake? Thanks for any help on this, I just don't see it ... Stefan
Stefan G. Weichinger schrieb:> Is it a bug in the old samba-release or just my mistake?Should be my mistake. Upgrade samba now, same behavior. So it is my stupid config ... S
Stefan G. Weichinger wrote:> currently I am able to login to vsftpd with ANY password, that's bad. > > I am not understanding that PAM-stuff and I have some pressure to get > that ftp-server up, so please would someone help me out?I have working pam-vsftpd configuration /etc/pam.d/vsftpd contains auth required pam_winbind.so account required pam_winbind.so password required pam_winbind.so session required pam_winbind.so and in vsftpd conf I have pam_service_name=vsftpd Centos 5.4, samba from Sernet "recent" repo. Upgrading from 3.0.x to 3.3.x made winbind *a lot faster*, reducing cpu load. -- Veiko
Stefan G. Weichinger schrieb:> Stefan G. Weichinger schrieb: > >> Is it a bug in the old samba-release or just my mistake? > > Should be my mistake. Upgrade samba now, same behavior. > So it is my stupid config ...And one more follow-up-myself ... but maybe helpful for others searching the web in the future ... --> It works now. Edited /etc/pam.d/vsftpd to include the common files: # cat vsftpd auth include common-auth account include common-account password include common-password session include common-session while those included files are: # cat common-auth auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass # cat common-account account sufficient pam_winbind.so account required pam_unix2.so # cat common-password password sufficient pam_winbind.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok # cat common-session session required pam_limits.so session required pam_unix2.so --- I tested by using right and wrong password, looks OK to me. Could someone please let me know if this PAM-setup is safe? Thanks a lot ... Stefan