Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts
gets locked out the SAMBA account simultaneously gets locked out as well?
All my windows clients are either 2003 or 2008 servers and if I understand the
blurbs below in the samba man page, the "encrypted password" directive
must be set to yes in order for Windows machines to authenticate against SAMBA,
however if "encrypted passwords" is set to yes then SAMBA will ignore
the directive "obey pam restrictions". Is there any way around this?
OS: RHEL 5.5 x64
samba3x-3.5.4-0.70.el5_6.1
openldap-2.3.43-12.el5_6.7
obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam),
this parameter will control whether or not Samba should obey PAM??s account and
session management directives. The default behavior is to use PAM for
clear text authentication only and to ignore any account or session
management. Note that Samba always ignores PAM for authentication in
the case of encrypt passwords = yes. The reason is that PAM modules cannot
support the challenge/response authentication mechanism needed in the
presence of SMB password encryption.
encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated
with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98
will by default expect encrypted passwords unless a registry entry is
changed. To use encrypted passwords in Samba see the chapter "User
Database"
in the Samba HOWTO Collection.
MS Windows clients that expect Microsoft encrypted passwords and that
do not have plain text password support enabled will be able to connect only
to a Samba server that has encrypted password support enabled and for
which the user accounts have a valid encrypted password. Refer to the
smbpasswd command man page for information regarding the creation of
encrypted passwords for user accounts.
The use of plain text passwords is NOT advised as support for this
feature is no longer maintained in Microsoft Windows products. If you want to
use
plain text passwords you must set this parameter to no.
In order for encrypted passwords to work correctly smbd(8) must
either have access to a local smbpasswd(5) file (see the smbpasswd(8) program
for
information on how to set up and maintain this file), or set the
security = [server|domain|ads] parameter which causes smbd to authenticate
against
another server.
-Mike
Default: encrypt passwords = yes
Anyone?> From: mlstarling31 at hotmail.com > To: samba at lists.samba.org > Date: Sun, 10 Jul 2011 08:18:52 -0400 > Subject: [Samba] Locking SAMBA ccounts with LDAP backend > > > > Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? > All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this? > > OS: RHEL 5.5 x64 > samba3x-3.5.4-0.70.el5_6.1 > openldap-2.3.43-12.el5_6.7 > > obey pam restrictions (G) > > When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM??s account and > session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session > management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot > support the challenge/response authentication mechanism needed in the presence of SMB password encryption. > > encrypt passwords (G) > > This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 > will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" > in the Samba HOWTO Collection. > > MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only > to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the > smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. > > The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use > plain text passwords you must set this parameter to no. > > In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for > information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against > another server. > > -Mike > > Default: encrypt passwords = yes > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
From: Michael Starling <mlstarling31 at hotmail.com> Date: Sun, 10 Jul 2011 08:18:52 -0400> Hello. Is it possible to have SAMBA respect PAM so that when an LDAP > accounts gets locked out the SAMBA account simultaneously gets > locked out as well?As far as I examined on Samba 3.5.6 on Lenny, to set ----- auth pam_winbind.so ----- and "obey pam restrictions = yes", then the locked user cannot logon to Samba server. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Thanks for the reply. This is what my system-auth looks like now: Where would you suggest I place the auth pam_winbind.so statement? auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel umask=0027> Date: Tue, 12 Jul 2011 23:20:21 +0900 > To: mlstarling31 at hotmail.com > CC: samba at lists.samba.org > Subject: Re: [Samba] Locking SAMBA ccounts with LDAP backend > From: monyo at monyo.com > > From: Michael Starling <mlstarling31 at hotmail.com> > Date: Sun, 10 Jul 2011 08:18:52 -0400 > > > Hello. Is it possible to have SAMBA respect PAM so that when an LDAP > > accounts gets locked out the SAMBA account simultaneously gets > > locked out as well? > > As far as I examined on Samba 3.5.6 on Lenny, to set > > ----- > auth pam_winbind.so > ----- > > and "obey pam restrictions = yes", then the locked user cannot logon > to Samba server. > > --- > TAKAHASHI Motonobu <monyo at samba.gr.jp> > > >
From: Michael Starling <mlstarling31 at hotmail.com> Date: Tue, 12 Jul 2011 10:26:17 -0400> Thanks for the reply. This is what my system-auth looks like now: > > Where would you suggest I place the auth pam_winbind.so statement?(snip) Sorry, I misunderstood that your Samba server is a domain member. My previous suggestion is a mistake. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Interesting..I would have thought someone else had seen this issue before...Ah well.> Date: Wed, 13 Jul 2011 00:29:58 +0900 > To: mlstarling31 at hotmail.com > CC: samba at lists.samba.org > Subject: Re: [Samba] Locking SAMBA ccounts with LDAP backend > From: monyo at monyo.com > > > From: Michael Starling <mlstarling31 at hotmail.com> > Date: Tue, 12 Jul 2011 10:26:17 -0400 > > > Thanks for the reply. This is what my system-auth looks like now: > > > > Where would you suggest I place the auth pam_winbind.so statement? > > (snip) > > Sorry, I misunderstood that your Samba server is a domain member. > My previous suggestion is a mistake. > > --- > TAKAHASHI Motonobu <monyo at samba.gr.jp> > > >