On Fri, Aug 19, 2011 at 09:11:22AM -0500, Martin Diers wrote: > My company, which is a mac-heavy shop in the printing industry, needed > to migrate to a faster file server. As our directory trees are very > large, both Samba, and Netatalk were bogging down badly on our Linux > server (Samba, due to heavy CPU usage during directory listings - the > case-sensitive file system issue, and netatalk because the cnid db was > getting too big).
Did you look into the Samba large directory HOWTO to fix this ? http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/largefile.html > Our solution was to switch to a Mac server running a Thunderbolt RAID > array. This forced us into using Lion, as the only Snow Leopard machines > with thunderbolt ports are laptops. The new server as extremely fast > even with our large file systems. But SMBX is causing numerous problems. > > Yesterday, I succeeded in getting Samba 3.6.0 compiled and running on > Lion, and now have a working Macports package. Only one patch was > required: to address issues with NGROUPS_MAX on Lion, which prevented > smbd from starting. (FYI: Because groups can be nested in Lion, but > getgrouplist() reports the list without nesting, the number of groups in > some system account used by Samba, exceeds NGROUPS_MAX. The fix just > forces it to 32 in lib/system.c - ugly, but it works). > > I do not understand how Apple's OpenDirectory integration used to work > with Samba in versions <= 10.6. I assume they maintained smbpasswd > tokens inside OpenDirectory. Regardless, this is no longer done in Lion. > Instead, I attempted to use the pam_smbpass module to sync passwords > with the tdb backend. > > I copied the complied pam_smbpass.dynlib module to > /usr/lib/pam/pam_smbpass.so.2. > > I then setup /etc/pam.d/passwd like so: > > auth required pam_permit.so > account required pam_opendirectory.so > password requisite pam_opendirectory.so > password required pam_smbpass.so nullok use_authtok try_first_pass > session required pam_permit.so > > This prevents user accounts on the Server from changing their own > password at all. The root user can still change individual system > account passwords, but no smbpasswd syncing takes place. > > I have tried several variants on the "password required" line. All of > them exhibit the same behavior. > > I have been unable to find any debug or log information that sheds much > light on this behavior. When the user attempts to change their password, > this is what is shown in /var/log/secure.log: > > passwd[229]: in _openpam_check_error_code(): pam_sm_chauthtok(): > unexpected return value 12 >From the source code here : http://trac.des.no/openpam/browser/trunk/include/security/pam_constants.h enum { 51 PAM_SUCCESS = 0, 52 PAM_OPEN_ERR = 1, 53 PAM_SYMBOL_ERR = 2, 54 PAM_SERVICE_ERR = 3, 55 PAM_SYSTEM_ERR = 4, 56 PAM_BUF_ERR = 5, 57 PAM_CONV_ERR = 6, 58 PAM_PERM_DENIED = 7, 59 PAM_MAXTRIES = 8, 60 PAM_AUTH_ERR = 9, 61 PAM_NEW_AUTHTOK_REQD = 10, 62 PAM_CRED_INSUFFICIENT = 11, 63 PAM_AUTHINFO_UNAVAIL = 12, 64 PAM_USER_UNKNOWN = 13, 65 PAM_CRED_UNAVAIL = 14, 66 PAM_CRED_EXPIRED = 15, 67 PAM_CRED_ERR = 16, 68 PAM_ACCT_EXPIRED = 17, 69 PAM_AUTHTOK_EXPIRED = 18, 70 PAM_SESSION_ERR = 19, 71 PAM_AUTHTOK_ERR = 20, 72 PAM_AUTHTOK_RECOVERY_ERR = 21, 73 PAM_AUTHTOK_LOCK_BUSY = 22, 74 PAM_AUTHTOK_DISABLE_AGING = 23, 75 PAM_NO_MODULE_DATA = 24, 76 PAM_IGNORE = 25, 77 PAM_ABORT = 26, 78 PAM_TRY_AGAIN = 27, 79 PAM_MODULE_UNKNOWN = 28, 80 PAM_DOMAIN_UNKNOWN = 29, 81 PAM_NUM_ERRORS /* OpenPAM extension */ 82 }; > And this is what the user sees: > > $ passwd > Changing password for <user>. > passwd: authentication information is unavailable Indeed - 12 == PAM_AUTHINFO_UNAVAIL. > smbd.log shows nothing at all. > > If the user's password is changed using the root account, no errors of > any kind are logged, and no smbpasswd sync takes place. > > I know that pam_smbpass works in FreeBSD, which also uses OpenPam, so I > doubt it is an OpenPam incompatibility. I'm just not sure where to look > next. Might be a modified version of OpenPam used by MacOSX - not sure. Can you look in the Darwin source code to see when PAM_AUTHINFO_UNAVAIL is returned ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba