Hi, I am trying to get my Samba installation to use PAM under Ubuntu. I have created the /etc/pam.d/samba, but as far as I can tell samba is not using the directives in there. I have ssh and netatalk using PAM successfully against a Kerberos ticket issuer, so I know my PAM installation is working for some services. I am sure I have something wrong in my smb.conf as I am a bit of a newbie with samba when it comes to PAM. My /etc/pam.d/samba file is a clone of my netatalk PAM file, because my netatalk shares are working just fine. Here is my [global] section from smb.conf: [global] log file = /var/log/samba/log.%m passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . obey pam restrictions = yes map to guest = bad user # encrypt passwords = true passwd program = /usr/bin/passwd %u passdb backend = tdbsam dns proxy = no server string = %h server winbind enum users = yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-20000 idmap gid = 2000-20000 unix password sync = yes workgroup = [redacted] os level = 20 syslog = 3 realm = [redacted] security = ads panic action = /usr/share/samba/panic-action %d usershare allow guests = yes max log size = 1000 pam password change = yes preferred master = no
On Tue, Mar 16, 2010 at 02:14:36PM -0500, Grady Neely wrote:> I am trying to get my Samba installation to use PAM under > Ubuntu. I have created the /etc/pam.d/samba, but as far > as I can tell samba is not using the directives in there. > I have ssh and netatalk using PAM successfully against a > Kerberos ticket issuer, so I know my PAM installation is > working for some services. I am sure I have something > wrong in my smb.conf as I am a bit of a newbie with samba > when it comes to PAM. > > My /etc/pam.d/samba file is a clone of my netatalk PAM > file, because my netatalk shares are working just fine.PAM can not be used by Samba for password checking, because the PAM API expects to see the user's plain text password. We never see that unless you're setting "encrypt passwords no" which is so higly not recommended that we should probably disable it at some point. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20100316/6e5795c7/attachment.pgp>