[CentOS] help with samba and ldap on centos 5
Ross S. W. Walker
rwalker at medallion.com
Mon Aug 6 18:25:35 UTC 2007
Also I am not sure these are needed:
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
You really only need these if you are using an authorization
source that doesn't provide compatible UIDs and GIDs (winbind).
-Ross
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Ross S. W. Walker
> Sent: Monday, August 06, 2007 2:19 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] help with samba and ldap on centos 5
>
>
> I think you might need the 'obey pam restrictions = yes' in
> your smb.conf file too.
>
> obey pam restrictions (G)
> When Samba 3.0 is configured to enable
> PAM support (i.e.
> --with-pam), this parameter will control
> whether or not Samba
> should obey PAM's account and session
> management directives. The
> default behavior is to use PAM for clear
> text authentication
> only and to ignore any account or session
> management. Note that
> Samba always ignores PAM for
> authentication in the case of
> encrypt passwords = yes. The reason is that PAM
> modules cannot
> support the challenge/response authentication
> mechanism needed
> in the presence of SMB password encryption.
>
> Default: obey pam restrictions = no
>
> -Ross
>
>
>
>
> ________________________________
>
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
> Sent: Monday, August 06, 2007 2:13 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] help with samba and ldap on centos 5
>
>
> This may be related to centos 5, or more likely the
> version of samba that it ships with, and the option not to
> encrypt passwords:
> encrypt passwords = no
>
> This same smb.conf file works great in centos 4....any
> ideas? Thanks.
>
> Aaron
>
> Aaron Bliss wrote:
>
> Ross,
> I re-ran authconfig, system-auth now has what
> you mentioned, however server still isn't working.....any other ideas?
>
> Thanks again.
> Aaron
>
> testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[ITS]"
> Processing section "[sysadmin2]"
> Processing section "[daf]"
> Processing section "[first share]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = ITSN
> server string = filecity2
> encrypt passwords = No
> username map = /etc/samba/smbusers
> log level = 1
> log file = /var/log/samba/samba.log
> max log size = 50
> debug timestamp = No
> max xmit = 32768
> socket options = TCP_NODELAY
> IPTOS_LOWDELAY SO_RCVBUF=2048 SO_SNDBUF=204
> load printers = No
> printcap name = /etc/printcap
> show add printer wizard = No
> dns proxy = No
> wins server = 137.21.7.5
> ldap ssl = no
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/bash
> nt acl support = No
> cups options = raw
>
> [first share]
> comment = test share here
> path = /export
> valid users = abliss
> read only = No
>
>
> Ross S. W. Walker wrote:
>
>
> Try running this:
>
> authconfig --kickstart --enablelocauthorize
>
> And see if that does the trick, what
> you want to see under 'account'
>
> account required pam_unix.so
> broken_shadow
> account sufficient pam_localuser.so
> account sufficient
> pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok
> user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> The above command should do the trick.
>
> -Ross
>
>
>
> ________________________________
>
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
> Sent: Monday, August 06, 2007 11:41 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] help with
> samba and ldap on centos 5
>
>
> Hi Ross,
> I used authconfig to configure
> the box. Here are the configs:
>
> cat /etc/nsswitch.conf | grep -v \#
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
> bootparams: nisplus
> [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files ldap
> rpc: files
> services: files ldap
> netgroup: files ldap
> publickey: nisplus
> automount: files ldap
> aliases: files nisplus
>
> cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be
> destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient
> pam_unix.so nullok try_first_pass
> auth requisite
> pam_succeed_if.so uid >= 500 quiet
> auth sufficient
> pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required
> pam_unix.so broken_shadow
> account sufficient
> pam_succeed_if.so uid < 500 quiet
> account [default=bad
> success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite
> pam_cracklib.so try_first_pass retry=3
> password sufficient
> pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient
> pam_ldap.so use_authtok
> password required pam_deny.so
>
> session required
> pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session optional
> pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1
> default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> cat /etc/sysconfig/authconfig
> USEWINBINDAUTH=no
> USEKERBEROS=no
> USESYSNETAUTH=no
> FORCESMARTCARD=no
> USESMBAUTH=no
> USESMARTCARD=no
> USELDAPAUTH=yes
> USEWINBIND=no
> USESHADOW=yes
> USEDB=no
> USEHESIOD=no
> USEPASSWDQC=no
> USELDAP=yes
> USELOCAUTHORIZE=no
> USEMD5=yes
> USECRACKLIB=yes
> USENIS=no
>
> Thanks again.
> Aaron
>
> Ross S. W. Walker wrote:
>
> -----Original
> Message-----
> From:
> centos-bounces at centos.org
>
> [mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
> Sent: Monday,
> August 06, 2007 11:16 AM
> To: centos at centos.org
> Subject:
> [CentOS] help with samba and ldap on centos 5
>
> Hi everyone;
> I'm having some trouble with samba on a centos 5
> box; the
> box has been
> configured to authenticate against an ldap server via
>
> authconfig....authentication for normal use (console, ssh) works
> great....I'm
> having some trouble with samba using single ldap
> users or
> local
> users....It's rather weird, shares in which access restrictions
> are based upon
> ldap groups are working fine, getent group shows local
> and ldap
> groups, however attempting to assign access to a share for
> either a single
> ldap user or a local user doesn't work, and
> produces the
> following error
> when trying to hit the share:
>
> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User myuser1 !
>
> For local
> users, I've added local os accounts as well as
> accounts in the
> samba database
> with smbpasswd
> Any ideas?
> Thanks for your help.
>
>
>
> Did you use authconfig
> to configure ldap auth or did you manually edit
> the PAM database?
>
> Can you post a copy of
> your /etc/sysconfig/authconfig,
> /etc/pam.d/system-auth,
> and a copy of your /etc/nsswitch.conf?
>
> -Ross
>
>
> ______________________________________________________________________
> This e-mail, and any
> attachments thereto, is intended only for use by
> the addressee(s) named
> herein and may contain legally privileged
> and/or confidential
> information. If you are not the intended recipient
> of this e-mail, you are
> hereby notified that any dissemination,
> distribution or copying
> of this e-mail, and any attachments thereto,
> is strictly prohibited.
> If you have received this e-mail in error,
> please immediately
> notify the sender and permanently delete the
> original and any copy
> or printout thereof.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
>
> http://lists.centos.org/mailman/listinfo/centos
>
>
> ________________________________
>
> This e-mail, and any attachments
> thereto, is intended only for use by the addressee(s) named
> herein and may contain legally privileged and/or confidential
> information. If you are not the intended recipient of this
> e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments
> thereto, is strictly prohibited. If you have received this
> e-mail in error, please immediately notify the sender and
> permanently delete the original and any copy or printout thereof.
>
> ________________________________
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> ________________________________
>
> This e-mail, and any attachments thereto, is intended only
> for use by the addressee(s) named herein and may contain
> legally privileged and/or confidential information. If you
> are not the intended recipient of this e-mail, you are hereby
> notified that any dissemination, distribution or copying of
> this e-mail, and any attachments thereto, is strictly
> prohibited. If you have received this e-mail in error, please
> immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the CentOS
mailing list