Re: [Samba] another question about account locking

Thu, 13 Jan 2011 10:48:50 -0800 


I did give it a try with no luck. However, I'm not sure that the way the pam 
rules I have set out would cause that to trip anyway.

On most of our linux machines, we'd have the system-auth looking like this 
(what is the default generated by system-config-authentication)

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

So, if the LDAP lookup of whatever authentication information fails, then the 
user will be denied. That's fine...but in practice, once the LDAP server locks 
out the account, samba still is able to read what it needs from the 
sambantpassword field, and thus approves the connection. 

I'll have to reconfigure a couple of things to double check on share accesses, 
but it's really the interactive logins I need to lock.

Sorry if I'm being difficult about it. :)



> Date: Fri, 14 Jan 2011 03:38:05 +0900
> Subject: Re: [Samba] another question about account locking
> From: mo...@monyo.com
> To: groucho.64...@hotmail.com
> CC: samba@lists.samba.org
> 
> 2011/1/14 Kevin Taylor <groucho.64...@hotmail.com>:
> > Unfortunately, that doesn't work. Since we're using an LDAP backend, we had 
> > to turn on 'encrypt
> > passwords=yes' which bypasses the pam checking.
> 
> Have you actually tried it?
> 
> To set "obey pam restrictions = yes",  Samba obeys PAM's restriction.
> 
> For example, try:
> 
> -----
> [global]
>  (encrypt passwords = yes) -- default value, so not to need to set explicitly
>   obey pam restrictions = yes
> 
> [homes]
>   writeable = yes
>   browseable = no
> -----
> 
> Usually, an user can  access the homes share with valid password, but if you
> set pam_deny.so correctly in system-auth, common-account or such a file, then
> anyone can logon and you can see the error messages:
> 
> -----
> [2011/01/14 03:24:00,  0] auth/pampass.c:smb_pam_accountcheck(792)
>   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo!
> -----
> 
> ---
> TAKAHASHI Motonobu <mo...@samba.gr.jp>
                                          
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to