[CentOS] help with samba and ldap on centos 5

Mon Aug 6 18:18:52 UTC 2007
Ross S. W. Walker <rwalker at medallion.com>

 
I think you might need the 'obey pam restrictions = yes' in your smb.conf file too.
 
       obey pam restrictions (G)
              When Samba  3.0  is  configured  to  enable  PAM  support  (i.e.
              --with-pam),  this  parameter  will control whether or not Samba
              should obey PAM's account and session management directives. The
              default  behavior  is  to  use PAM for clear text authentication
              only and to ignore any account or session management. Note  that
              Samba  always  ignores  PAM  for  authentication  in the case of
              encrypt passwords = yes. The reason is that PAM  modules  cannot
              support  the  challenge/response authentication mechanism needed
              in the presence of SMB password encryption.
 
              Default: obey pam restrictions = no

-Ross
 



________________________________

	From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
	Sent: Monday, August 06, 2007 2:13 PM
	To: CentOS mailing list
	Subject: Re: [CentOS] help with samba and ldap on centos 5
	
	
	This may be related to centos 5, or more likely the version of samba that it ships with, and the option not to encrypt passwords:
	encrypt passwords = no
	
	This same smb.conf file works great in centos 4....any ideas?  Thanks.
	
	Aaron
	
	Aaron Bliss wrote: 

		Ross,
		I re-ran authconfig, system-auth now has what you mentioned, however server still isn't working.....any other ideas?
		
		Thanks again.
		Aaron
		
		testparm
		Load smb config files from /etc/samba/smb.conf
		Processing section "[ITS]"
		Processing section "[sysadmin2]"
		Processing section "[daf]"
		Processing section "[first share]"
		Loaded services file OK.
		Server role: ROLE_STANDALONE
		Press enter to see a dump of your service definitions
		
		[global]
		        workgroup = ITSN
		        server string = filecity2
		        encrypt passwords = No
		        username map = /etc/samba/smbusers
		        log level = 1
		        log file = /var/log/samba/samba.log
		        max log size = 50
		        debug timestamp = No
		        max xmit = 32768
		        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=2048 SO_SNDBUF=204
		        load printers = No
		        printcap name = /etc/printcap
		        show add printer wizard = No
		        dns proxy = No
		        wins server = 137.21.7.5
		        ldap ssl = no
		        idmap uid = 16777216-33554431
		        idmap gid = 16777216-33554431
		        template shell = /bin/bash
		        nt acl support = No
		        cups options = raw
		
		[first share]
		        comment = test share here
		        path = /export
		        valid users = abliss
		        read only = No
		
		
		Ross S. W. Walker wrote: 

			 
			Try running this:
			 
			authconfig --kickstart --enablelocauthorize
			 
			And see if that does the trick, what you want to see under 'account'
			 
			account     required      pam_unix.so broken_shadow
			account     sufficient    pam_localuser.so
			account     sufficient    pam_succeed_if.so uid < 500 quiet
			account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
			account     required      pam_permit.so
			 
			The above command should do the trick.
			 
			-Ross
			 


________________________________

				From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
				Sent: Monday, August 06, 2007 11:41 AM
				To: CentOS mailing list
				Subject: Re: [CentOS] help with samba and ldap on centos 5
				
				
				Hi Ross,
				I used authconfig to configure the box.  Here are the configs:
				
				cat /etc/nsswitch.conf | grep -v \#
				passwd:     files ldap
				shadow:     files ldap
				group:      files ldap
				hosts:      files dns
				bootparams: nisplus [NOTFOUND=return] files
				ethers:     files
				netmasks:   files
				networks:   files
				protocols:  files ldap
				rpc:        files
				services:   files ldap
				netgroup:   files ldap
				publickey:  nisplus
				automount:  files ldap
				aliases:    files nisplus
				
				cat /etc/pam.d/system-auth
				#%PAM-1.0
				# This file is auto-generated.
				# User changes will be destroyed the next time authconfig is run.
				auth        required      pam_env.so
				auth        sufficient    pam_unix.so nullok try_first_pass
				auth        requisite     pam_succeed_if.so uid >= 500 quiet
				auth        sufficient    pam_ldap.so use_first_pass
				auth        required      pam_deny.so
				
				account     required      pam_unix.so broken_shadow
				account     sufficient    pam_succeed_if.so uid < 500 quiet
				account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
				account     required      pam_permit.so
				
				password    requisite     pam_cracklib.so try_first_pass retry=3
				password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
				password    sufficient    pam_ldap.so use_authtok
				password    required      pam_deny.so
				
				session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
				session     optional      pam_keyinit.so revoke
				session     required      pam_limits.so
				session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
				session     required      pam_unix.so
				session     optional      pam_ldap.so
				
				cat /etc/sysconfig/authconfig
				USEWINBINDAUTH=no
				USEKERBEROS=no
				USESYSNETAUTH=no
				FORCESMARTCARD=no
				USESMBAUTH=no
				USESMARTCARD=no
				USELDAPAUTH=yes
				USEWINBIND=no
				USESHADOW=yes
				USEDB=no
				USEHESIOD=no
				USEPASSWDQC=no
				USELDAP=yes
				USELOCAUTHORIZE=no
				USEMD5=yes
				USECRACKLIB=yes
				USENIS=no
				
				Thanks again.
				Aaron
				
				Ross S. W. Walker wrote: 

					-----Original Message-----
					From: centos-bounces at centos.org 
					[mailto:centos-bounces at centos.org] On Behalf Of Aaron Bliss
					Sent: Monday, August 06, 2007 11:16 AM
					To: centos at centos.org
					Subject: [CentOS] help with samba and ldap on centos 5
					
					Hi everyone; I'm having some trouble with samba on a centos 5 
					box; the 
					box has been configured to authenticate against an ldap server via 
					authconfig....authentication for normal use (console, ssh) works 
					great....I'm having some trouble with samba using single ldap 
					users or 
					local users....It's rather weird, shares in which access restrictions 
					are based upon ldap groups are working fine, getent group shows local 
					and ldap groups, however attempting to assign access to a share for 
					either a single ldap user or a local user doesn't work, and 
					produces the 
					following error when trying to hit the share:
					smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User myuser1 !
					
					For local users, I've added local os accounts as well as 
					accounts in the 
					samba database with smbpasswd
					Any ideas? Thanks for your help.
					    

					
					Did you use authconfig to configure ldap auth or did you manually edit
					the PAM database?
					
					Can you post a copy of your /etc/sysconfig/authconfig,
					/etc/pam.d/system-auth, and a copy of your /etc/nsswitch.conf?
					
					-Ross
					
					______________________________________________________________________
					This e-mail, and any attachments thereto, is intended only for use by
					the addressee(s) named herein and may contain legally privileged
					and/or confidential information. If you are not the intended recipient
					of this e-mail, you are hereby notified that any dissemination,
					distribution or copying of this e-mail, and any attachments thereto,
					is strictly prohibited. If you have received this e-mail in error,
					please immediately notify the sender and permanently delete the
					original and any copy or printout thereof.
					
					_______________________________________________
					CentOS mailing list
					CentOS at centos.org
					http://lists.centos.org/mailman/listinfo/centos
					  

________________________________

			This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. 
			
________________________________


			_______________________________________________
			CentOS mailing list
			CentOS at centos.org
			http://lists.centos.org/mailman/listinfo/centos
			  


______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070806/d1455761/attachment-0004.html>