samba - Jan 2011 - another question about account locking

Is there a way that we can increment the samba bad password count, when a user
fails a password on a linux system? I'm looking for ways to get both Windows
and Linux to simultaneously lock out accounts if they fail so many times.
We're using an LDAP backend.

2011/1/13 Kevin Taylor <groucho.64738 at
hotmail.com>:
>
> Is there a way that we can increment the samba bad password count, when a
user fails a password on a linux system? I'm looking for ways to get both
Windows and Linux to simultaneously lock out accounts if they fail so many
times. We're using an LDAP backend.
How about "obey pam restrictions = yes" ?

"obey pam restrictions = yes" means Samba should obey PAM's
restriction.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

Ok. I'm still not able to lock out the account, but now that I've got
the pam restrictions line in the smb.conf, I'm seeing messages appear in
/var/log/secure related to samba:account and samba:session

So, that means that the login session is doing SOMETHING with pam, but I'm
not able to deny access at this point. If I'm not careful with the placement
of pam_deny then I prevent everyone from logging on. I had that issue with my
first test.

What exactly is samba asking of the ldap server at this stage that would
generate a failure that pam will recognize I wonder.

If the account request is just asking if the account is there, and some basic
samba ldap settings, then of course it will succeed. If the session is doing the
same, then it will be ok.

Just as a guaranteed verification of what PAM will do. I put the pam_deny line
first thing in the session clause. I could still log in, but got errors
downloading the profile. I moved the pam_deny into the account section, and I
was not able to log into the windows machine. This is good...but that was a
forced deny for everyone for everything....



> Date: Fri, 14 Jan 2011 03:56:29 +0900
> Subject: Re: [Samba] another question about account locking
> From: monyo at monyo.com
> To: groucho.64738 at hotmail.com
> CC: samba at lists.samba.org
> 
> 2011/1/14 Kevin Taylor <groucho.64738 at hotmail.com>:
> 
> > I did give it a try with no luck. However, I'm not sure that the
way the pam rules I have set out would cause that to trip anyway.
> >
> > On most of our linux machines, we'd have the system-auth looking
like this (what is the default generated by system-config-authentication)
> >
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_ldap.so use_first_pass
> > auth        required      pam_deny.so
> >
> > So, if the LDAP lookup of whatever authentication information fails,
then the user will be denied. That's fine...but in practice, once the LDAP
server locks out the account, samba still is able to read what it needs from the
sambantpassword field, and thus approves the connection.
> 
> Sorry, auth section will not work with Samba, as described in smb.conf(5).
> I put pam_deny.so into account section. For example,
> /etc/pam.d/common-account on
> my lenny box:
> 
> -----
> account required        pam_unix.so
> account required       pam_deny.so
> -----
> 
> This means always FAIL at account section.
> 
> To check if an account is disabled is usually done at account section, I
think.
> 
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>