Samba - pam authentication
Hi Everybody,
We are upgrading to samba-3.0.2a with SEAM kerberos and iPlanet Directory ldap server support. All the three servers runs in three different physical solaris machies. We are able to connect the samba and ldap. We are trying with security=user option in samba . For kerberos support, we thought of a solution of authentication via pam -pamkrb5 module. but samba fails for a pam authentication and it never contacts the kerberos server. actually we traced out the function calls which tries for authentication, which sends a pam handler with null passwords for authentication.
pls refer source/auth/auth.c and source/auth/pampass.c which functions like smb_pam_accountcheck which pam_acctmgmt() sending a pamhandler pointer pamh.
The samba code has pointer pamh referring to the sturucture called pam_handle_t . For the structure pam_handle_t , we found a type definition pam_handle in security/pam_appl.h . and no more information in pam_handle is available. Is the solaris pam modules lacks some files or our installation of solaris lacks some files?
Any suggestions to proceed with pam authentication would be really helpful
regards
eccsamba
I'm having similar problem. In my case, it appears to be configure issue within samba. I'm using
configure --with-pam
But when it 'checks' pam_modules.h, it fails because it lacks definitions found in pam_appl.h. It appears to check these files independently, when it should consider them together. I'm currently looking for a way to short-circuit the configure's concerns for pam_modules.h. Mark
Similar Messages
-
PAM authentication failure when attempting to run job
I'm attempting to run a scheduled job from grid control (version 10.2.0.5.0) against a Solaris server and it keeps failing with:-
Error Log
ERROR: Invalid username and/or password
Output Log
LOG: Local Authentication Failed...Attempt PAM authentication...PAM failed with error:
Despite entering an os username and password into the preferred credentails for this server which work when I try to logon to using putty, I can't connect to the server using the preferred credentils screen either. However, the agent can upload data without any problems. Can anyone point me in the correct direction as towards a resolution for this issue.Thanks for the information, Oracle support came up with this technical note also. Its a bit strange as it mentions using the shared object for ldap in the pam.conf even though I'm not using ldap. Out of interest, do you use grid control, Solaris and pam authentication ?
-
PAM authentication of OS X GUI
According to http://images.apple.com/macosx/pdf/MacOSXLeopard_SecurityTB.pdf on page 2, Leopard supports PAM authentication from the GUI layer. In other words, can I set up my own custom stack of PAM modules and expect loginwindow and the rest of the GUI elements to consult PAM for username/password info?
This was not the case with OS X 10.4 (Tiger) and earlier, or at least it wasn't obvious how to do it.
I know you can set up UNIX services to use PAM, however that's not what I'm looking for. I want to be able to log on to a OS X 10.5 machine using PAM.
Thanks!I'd suggest redrawing those with the path tool and stroke/paint. The lines are very thin, and I don't think they'll display well on TV....
Spend a little time with the path tool and it'll become second nature. Also, for enclosed icons (like the arrows, ?, and pointer hand), you may be able to key out the bg and autotrace it, to get a pretty good bezier mask representation (apply it to new layer).
Glad to see you got your name sorted out... :P -
PAM authentication failed on linux while installing MaxDB Database
Seeing following errors in sapinst.log
INFO 2007-03-29 16:25:23
Account sqdln1 already exists.
ERROR 2007-03-29 16:25:25
The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
ERROR 2007-03-29 16:25:25
The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
ERROR 2007-03-29 16:25:25
FCO-00011 The step sdb_create_db_instance with step key |NW_Doublestack_DB|ind|ind|ind|ind|0|0|NW_CreateDBandLoad|ind|ind|ind|ind|9|0|NW_CreateDB|ind|ind|ind|ind|0|0|NW_ADA_DB|ind|ind|ind|ind|6|0|SdbPreInstanceDialogs|ind|ind|ind|ind|3|0|SdbInstanceDialogs|ind|ind|ind|ind|1|0|SDB_INSTANCE_CREATE|ind|ind|ind|ind|0|0|sdb_create_db_instance was executed with status ERROR .
And the XCMDOUT.LOG has following error:
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
Here's the snippet from /etc/group
sapinst:x:500:root,ln1adm
sapsys:x:501:
sdba:*:502:sqdln1,root,sdb,ln1adm
Here's the relevant part from the /etc/passwd file:
ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
Any idea why PAM is not authenticating the root user correctly? Even manually firing the dbmcli
gives the same error:
/sapdb/programs/bin/dbmcli -n sapln1db -R /sapdb/LN1/db db_create LN1 CONTROL,vcs12345 sqdln1,vcs12345
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
Please help.
Satish/The group and user entries are fine. I have modified the user and groups but still getting the same authentication error. I have disabled MD5 password authentication and now its just shadow. But still the problem persists.
Please help.
<XCMDOUT.LOG>
ERR
-24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
-24994,ERR_RTE: Runtime environment error
5,PAM authentication failed: Authentication failure
</XCMDOUT.LOG>
</etc/passwd>
ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
</etc/passwd>
</etc/group>
sapinst:x:500:ln1adm,root,sdb
sapsys:x:501:root,sdb
sdba:x:502:sqdln1,root,sdb
</etc/group> -
Openldap-2.4.32 PAM authentication on Solaris 10
Hi,
I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
Executing ldapwhoami command from client is successful; server receives and processes request as expected.
I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
Could someone please show me how to verify PAM to see if it works?
Please let me know if there is anything missing from my setup or anything that I can double-check.
Any help is greatly appreciated.
Regards,
Joe
Downloaded and installed packages from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuring for PAM:
- /etc/pam.conf:
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
Errors from /var/log/pamlog:
Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:20 apggd04dev last message repeated 1 time
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)Hi,
I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
Executing ldapwhoami command from client is successful; server receives and processes request as expected.
I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
Could someone please show me how to verify PAM to see if it works?
Please let me know if there is anything missing from my setup or anything that I can double-check.
Any help is greatly appreciated.
Regards,
Joe
Downloaded and installed packages from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuring for PAM:
- /etc/pam.conf:
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
Errors from /var/log/pamlog:
Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:20 apggd04dev last message repeated 1 time
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL) -
UNIX pam authentication dosn't work anymore for SGD 4.20-984
In SGD 4.20 the UNIX/PAM/LDAP authentication doesn't work anymore.
After login into tarantella "Invalid Credentials" appears.
SGD is configured to authenticate UNIX users. In UNIX - PAM/LDAP is working properly:
"getent passwd" shows all LDAP users and login with LDAP-Accounts via ssh is possible as well.
Do somebody know what is wrong ?Hi
thanks for the quick answer.
Here the output of "tarantella config list |grep login":
login-ad-base-domain: ""
login-ad-default-domain: ""
login-ad: 0
login-anon: 0
login-ens: 1
login-ldap-url: ldap://ts2ldasv001
login-ldap: 0
login-mapped: 0
login-nt-domain: ""
login-nt: 0
login-securid: 0
login-theme: sco/tta/standard
login-thirdparty-superusers: sgd_trusted_user
login-thirdparty: 0
login-unix-group: 0
login-unix-user: 1
login-web-ens: 0
login-web-ldap-ens: 0
login-web-ldap-profile: 0
login-web-profile: 0
login-web-tokenvalidity: 180
login-web-user: ttaserv
server-login: enabled
We activated just UNIX users authentication.
I also tried pwconv without sucess... -
Hi, I am using a ldap DS5.2 server to authentication users on an application, though it seems that my usernames which are "all numeric" don't seem to be accepted through PAM.
When I run debug I see a " pam_authenticate(1e45450, 0): error Conversation failure"
When I add a letter in front of the username the authentication works fine.
Is there any way in which I could get this to work using "all numeric" usernames? And if yes how would that be possible?
Thanks.
-Ives-Hi, Roger
Is there no way around this? In fact My application (netcool/Mircomuse) uses PAM to run ldap authentication.
For another tool based on perl scripts we use LDAP authentication through a Perl module. With that perl module there is no problem in getting the "all numeric" username authenticated.
Is it possible to use this perl module in PAM somehow (the module is Net::LDAP)? And if yes could you or someone else tell me how this could be done?
Thanks a lot for your help.
Regards,
-Ives- -
Cannot run using pam authenticated user?
Using RHEL 4 on an institutional network in which users are centrally managed. Acroread 8.1.1 will not start with ordinary user as
acroread
(acroread:24638): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (.....)
Basically, this is not going to work.Hi, thanks for replies
I am indeed able to launch 'firefox', both as local user and as remotely authenticated user. Likewise, 'gedit' is no problem
The authentication method is called LDAP .
Here's the nsswitch.conf ( it seems like the ldap is already included here )
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files
The Red-Hat EL4 provided Acroread 7.0.8 5/22/2006 also only works as local user, otherwise it produces a not-terminating stream of syntax error messages. (Package confusingly numbered acroread-7.0.9-1.2.0.EL4)
Using new AdobeReader_enu-8.1.1-1.i486.rpm, as local user, the program runs. but gives some message about missing library. I wish the program place the error message in the stderr or similar, or at very least allowed cut and paste from the error dialog box, as it would be so much easier to tell you exactly what the error message says. It's the 32-bit/64-bit thing.
I have read the mailing list about this issue and see that it may be easily fixed, however unless the reomote authentication issue can be fixed, there is not much point. -
[Solved] PAM authentication / Winbind
I've followed instructions regarding integration with Active Directory on wiki and successfully joined to the domain. wbinfo gives the list of users and groups and everything works as expected. But I've stuck with PAM.
The way I see it, almost every other pam rule points (includes) system-auth rules. Can I add pam_winbind.so to the system-auth like this and thus automatically solve the problem with ssh, su, lightdm rules etc... That was the way I used to solve this under Fedora once...
cat system-auth
#%PAM-1.0
auth required pam_env.so
auth required pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
account required pam_unix.so
account sufficient pam_winbind.so use_first_pass use_authtok
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_winbind.so use_first_pass use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session optional pam_permit.so
It locks me out of the machine when I try this - what have I done wrong ?
Last edited by combuster (2013-04-28 20:45:46)Made it...
Yes, it's possible to change only system-auth and those settings get applied to other pam rules that includes system-auth (pure genius huh ). But relations between pam_winbind.so and pam_unix.so must be exactly the ones as described in the wiki. So here comes the config:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_winbind.so use_first_pass use_authtok
auth optional pam_permit.so
account sufficient pam_unix.so
account sufficient pam_winbind.so try_first_pass use_authtok
account optional pam_permit.so
account required pam_time.so
password sufficient pam_unix.so
password sufficient pam_winbind.so try_first_pass use_authtok
password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_unix.so
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so
session required pam_env.so
session optional pam_permit.so
This is a lot easier to maintain (one config instead of many) but are there any downsides ? -
PAM Authentication (winbind) and groups
I've followed the Arch wiki (https://wiki.archlinux.org/index.php/Ac … ntegration) to integrate and use my domain login. Currently everything works as expected, I can login with my AD user (thanks to matone and combuster over this thread; https://bbs.archlinux.org/viewtopic.php?pid=1265595).
There is one small problem, annoyance if you will, however; my local user and my AD user (or any other new users I add) can't use networking, the volume mixer or video related when logged in to a KDE session. Maybe some other components, I haven't tested it yet. I'm just stuck on getting my network connections or sound working.
If I add my local (and AD user) to the related groups (for example; audio and network groups), I can manage system sounds and networks as expected.
I'm not sure where to look and I'm out of ideas. Any suggestions?
Thanks.
Last edited by queljin (2013-05-03 15:07:52)Well, after a lot of tries and reading, I found out that system-login PAM configuration must include system-auth as the last option. Because of the changes made to system-auth configuration, when pam_winbind or pam_unix module returns success and exits (because they are "sufficient") other modules below them aren't working which in turn causes the pam_loginuid module not working. Below is my new system-login config in case someone needs it.
Please remember this is in no way a recommended configuration, it may be completely wrong and break your existing configuration. It just works for me. YMMV.
/etc/pam.d/system-login :
#%PAM-1.0
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session include system-auth
Last edited by queljin (2013-05-14 13:38:16) -
How to switch off ldap alias dereferencing in PAM authentication ?
Yes you can but as 2Point5 notes it isn't a good idea. But if you are intent on doing so, the simple way is to download and purchase a program called Candybar. The arrow is basically a badge that's applied over an icon. In Candybar you can replace the arrow badge with one of your own - a totally transparent icon for example.
However, having done this, you will no longer be able to look at an icon and know if it is the real file or the alias. You'd have make sure that all your aliases were named with alias or some symbol or labeled with a color or you'd have to do a Get Info to see if it was an alias or not. All this sounds like a good recipe for accidentally erasing the real file and not the alias. -
Solaris 10 onboard Apache 1.3.x authenticating against PAM?
Hi fellow admins,
can anyone give me some hints on how to get the Apache 1.3 delivered with Solaris 10 to authenticate against the local unix files (passwd + shadow, via PAM?)
I've grabbed mod_auth_pam, managed to compile it with some modifications to apxs and the Makefile, and Apache loads the module just fine,
but no matter how I set up my pam.conf, I always end up with "No account present for user" in my Apache log.
From googling for this string, I see that other people usually get a user name after "user ", which I don't - suggesting that Apache/mod_auth_pam doesn't pass the user name on to PAM?
On a side note.. I'm considering to move on to Apache 2.2.x soon anyways - is PAM authentication any easier with that version, or will I face the same problems?
My main reason for switching from htpasswd to PAM is the automatic account locking after X failed logins - can I get to this goal on a different route without PAM?Compiling Apache 1.3 with gcc on linux or unix? If you are using unix, I would be compiling with cc and not gcc. You have gcc set to compile using regular expressions and I believe that has to be specified during SunOS install as posix compliant.
-
Hey all !
I've been for the past two days trying to configure my smb.conf so it shares files over network.
I've read docs, wikis, how-tos, theads et cetera but I just can't make the whole thing work.
I want Movies and Musics to be read only. This works fine.
The problem is Repo. I want it to be read/write. I've chmoded /media/Elements/Repo 777 but it still not works. What I get is read only access.
Here's my actual smb.conf so you can help me figure out what's wrong with it :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = share
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = nobody
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
restrict anonymous = no
domain master = no
logon home = \\%25N\%25U
logon path = \\%25N\%25U\profile
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
printable = yes
[Movies]
path = /media/Elements/Videos/Movies
guest ok = yes
[Music]
path = /media/Elements/Sounds/Music
guest ok = yes
[Repo]
path = /media/Elements/Repo
guest ok = yes
read only = no
Any idea ?
Thank for reading !
Sebastian
Last edited by spkag (2010-07-23 15:55:35)Thanks to both of you, but none seems to work.
I've tried the different tips and even put them together.
This is what it looks like at the moment :
[global]
# Browsing / Identification #
netbios name = ARCH-PC
server string = %h Server (Samba, ArchLinux)
# Authentication #
security = user
encrypt passwords = true
map to guest = bad user
guest account = pcguest
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
# Public Share. Mount this on a Unix client with the following.
# sudo mount -t smbfs -o username=[username],password=[password],\
# rw,uid=[your Unix user],gid=[your Unix group] \
# //[netbios or ip of server]/private /path/to/mount/point
# Optionally use a credentials file and credentials=/path/to/credentials (see below)
[Movies]
comment = Movies
path = /media/Elements/Videos/Movies/
guest ok = yes
[Music]
comment = Music
path = /media/Elements/Sounds/Music/
guest ok = yes
# Public Share. Mount this on a Unix client with the following.
# sudo mount -t smbfs -o username=,password=,\
# rw,uid=[your Unix user],gid=[your Unix group] \
# //[netbios or ip of server]/public /path/to/mount/point
[Repo]
comment = Repo
path = /media/Elements/Repo/
read only = no
create mask = 0777
directory mask = 0777
writelist=guest
guest only = no
guest ok = yes
All the three folders are in ro. Can't put Repo in rw...
Last edited by spkag (2010-07-24 13:54:26) -
Hi,
we are using samba shares on our linux RHEL5.3 boxes and we are using winbind and pam to authenticate our users. I have noticed an issue that i need resolved asap, any user that has an ad account can log in to the unix box with there ad username and password. is there a way to disable this but allow the samba share authentication to continue working as it is now?
I can post my config if this helps.
Thanks,
KeithPlease be more specific when describing your problem.
How about to limit local and remote SSH authentication to members of a specific AD group, e.g. linuxadm
For instance, in order to in order to only allow members of linuxadm to create a SSH session:
Edit /etc/pam.d/system-auth:
auth requisite pam_succeed_if.so user ingroup linuxadm debug
optional pam_mkhomedir.so umask=0077
Then restart winbind: service winbind restart
You may probably also want to configure /etc/sudoers to allow the linuxadm group to use sudo. For more information, perhaps the following is helpful:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
http://www.cyberciti.biz/tips/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html -
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..
Maybe you are looking for
-
Printer not recognized by Airport Extreme
I recently purchased an Airport Extreme that I'm trying to use to network a USB HP Printer (PSC 2410) and an external hard drive for access by a Macbook Air and a Windows laptop. I had the printer working for a day with the Macbook and then it is no
-
Problem showing BI report in SAP CRM 7.0
Problem showing BI report in SAP CRM 7.0 We are facing a problem in our SAP CRM, when we show a BI report in the fact sheet we can see the report correctly. But when we click on the match code of the query, (in order to choose a value from the help)
-
Can anybody help? i purchased CS6 on disk but have a new MacBook Air so no disk drive. I registered the product in 2013 so is there a way to instal on my new mac without having to purchase a disk drive?
-
How do i find out what type of pgm i need to view a video?
sometimes i cannot watch some videos..how do i find the program to let me view them?
-
Hi! I'm just wondering if there is a way to connect the 5.1 outputs on my DVD player to my Inspire 6700 speakers? The rear centre wouldn't be used, I know, but is it possible to connect the rest? Also, am I right in thinking, having read threads unti