Re: [Samba] another question about account locking
I'm not making much progress over here. I agree with the pam_deny item you list below. Putting the pam_deny line in the account settings will definitely prevent me from letting the windows users authenticate. But the issue remains where if the account is locked through the LDAP server, whatever samba is looking for when it queries is enough to satisfy the pam_ldap module's account info. Removing the pam_ldap line from the account section doesn't make a difference to the linux user logging in, but it won't let samba throughlike you mention. We don't want to always fail the account, only when it's locked. Is there something in ldap.conf that can be remapped to read this correctly? > Date: Fri, 14 Jan 2011 03:56:29 +0900 > Subject: Re: [Samba] another question about account locking > From: mo...@monyo.com > To: groucho.64...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/14 Kevin Taylor : > > > I did give it a try with no luck. However, I'm not sure that the way the > > pam rules I have set out would cause that to trip anyway. > > > > On most of our linux machines, we'd have the system-auth looking like this > > (what is the default generated by system-config-authentication) > > > > authrequired pam_env.so > > authsufficientpam_unix.so nullok try_first_pass > > authrequisite pam_succeed_if.so uid >= 500 quiet > > authsufficientpam_ldap.so use_first_pass > > authrequired pam_deny.so > > > > So, if the LDAP lookup of whatever authentication information fails, then > > the user will be denied. That's fine...but in practice, once the LDAP > > server locks out the account, samba still is able to read what it needs > > from the sambantpassword field, and thus approves the connection. > > Sorry, auth section will not work with Samba, as described in smb.conf(5). > I put pam_deny.so into account section. For example, > /etc/pam.d/common-account on > my lenny box: > > - > account requiredpam_unix.so > account required pam_deny.so > - > > This means always FAIL at account section. > > To check if an account is disabled is usually done at account section, I > think. > > --- > TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] another question about account locking
Ok. I'm still not able to lock out the account, but now that I've got the pam restrictions line in the smb.conf, I'm seeing messages appear in /var/log/secure related to samba:account and samba:session So, that means that the login session is doing SOMETHING with pam, but I'm not able to deny access at this point. If I'm not careful with the placement of pam_deny then I prevent everyone from logging on. I had that issue with my first test. What exactly is samba asking of the ldap server at this stage that would generate a failure that pam will recognize I wonder. If the account request is just asking if the account is there, and some basic samba ldap settings, then of course it will succeed. If the session is doing the same, then it will be ok. Just as a guaranteed verification of what PAM will do. I put the pam_deny line first thing in the session clause. I could still log in, but got errors downloading the profile. I moved the pam_deny into the account section, and I was not able to log into the windows machine. This is good...but that was a forced deny for everyone for everything > Date: Fri, 14 Jan 2011 03:56:29 +0900 > Subject: Re: [Samba] another question about account locking > From: mo...@monyo.com > To: groucho.64...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/14 Kevin Taylor : > > > I did give it a try with no luck. However, I'm not sure that the way the > > pam rules I have set out would cause that to trip anyway. > > > > On most of our linux machines, we'd have the system-auth looking like this > > (what is the default generated by system-config-authentication) > > > > authrequired pam_env.so > > authsufficientpam_unix.so nullok try_first_pass > > authrequisite pam_succeed_if.so uid >= 500 quiet > > authsufficientpam_ldap.so use_first_pass > > authrequired pam_deny.so > > > > So, if the LDAP lookup of whatever authentication information fails, then > > the user will be denied. That's fine...but in practice, once the LDAP > > server locks out the account, samba still is able to read what it needs > > from the sambantpassword field, and thus approves the connection. > > Sorry, auth section will not work with Samba, as described in smb.conf(5). > I put pam_deny.so into account section. For example, > /etc/pam.d/common-account on > my lenny box: > > - > account requiredpam_unix.so > account required pam_deny.so > - > > This means always FAIL at account section. > > To check if an account is disabled is usually done at account section, I > think. > > --- > TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
2011/1/14 Kevin Taylor : > I did give it a try with no luck. However, I'm not sure that the way the pam > rules I have set out would cause that to trip anyway. > > On most of our linux machines, we'd have the system-auth looking like this > (what is the default generated by system-config-authentication) > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > So, if the LDAP lookup of whatever authentication information fails, then the > user will be denied. That's fine...but in practice, once the LDAP server > locks out the account, samba still is able to read what it needs from the > sambantpassword field, and thus approves the connection. Sorry, auth section will not work with Samba, as described in smb.conf(5). I put pam_deny.so into account section. For example, /etc/pam.d/common-account on my lenny box: - account requiredpam_unix.so account required pam_deny.so - This means always FAIL at account section. To check if an account is disabled is usually done at account section, I think. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway. On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication) authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. I'll have to reconfigure a couple of things to double check on share accesses, but it's really the interactive logins I need to lock. Sorry if I'm being difficult about it. :) > Date: Fri, 14 Jan 2011 03:38:05 +0900 > Subject: Re: [Samba] another question about account locking > From: mo...@monyo.com > To: groucho.64...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/14 Kevin Taylor : > > Unfortunately, that doesn't work. Since we're using an LDAP backend, we had > > to turn on 'encrypt > > passwords=yes' which bypasses the pam checking. > > Have you actually tried it? > > To set "obey pam restrictions = yes", Samba obeys PAM's restriction. > > For example, try: > > - > [global] > (encrypt passwords = yes) -- default value, so not to need to set explicitly > obey pam restrictions = yes > > [homes] > writeable = yes > browseable = no > - > > Usually, an user can access the homes share with valid password, but if you > set pam_deny.so correctly in system-auth, common-account or such a file, then > anyone can logon and you can see the error messages: > > - > [2011/01/14 03:24:00, 0] auth/pampass.c:smb_pam_accountcheck(792) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo! > - > > --- > TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
2011/1/14 Kevin Taylor : > Unfortunately, that doesn't work. Since we're using an LDAP backend, we had > to turn on 'encrypt > passwords=yes' which bypasses the pam checking. Have you actually tried it? To set "obey pam restrictions = yes", Samba obeys PAM's restriction. For example, try: - [global] (encrypt passwords = yes) -- default value, so not to need to set explicitly obey pam restrictions = yes [homes] writeable = yes browseable = no - Usually, an user can access the homes share with valid password, but if you set pam_deny.so correctly in system-auth, common-account or such a file, then anyone can logon and you can see the error messages: - [2011/01/14 03:24:00, 0] auth/pampass.c:smb_pam_accountcheck(792) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo! - --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to turn on 'encrypt passwords=yes' which bypasses the pam checking. > Date: Fri, 14 Jan 2011 02:51:58 +0900 > Subject: Re: [Samba] another question about account locking > From: mo...@monyo.com > To: groucho.64...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/13 Kevin Taylor : > > > > Is there a way that we can increment the samba bad password count, when a > > user fails a password on a linux system? I'm looking for ways to get both > > Windows and Linux to simultaneously lock out accounts if they fail so many > > times. We're using an LDAP backend. > > How about "obey pam restrictions = yes" ? > > "obey pam restrictions = yes" means Samba should obey PAM's restriction. > > --- > TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
On Fri, Jan 14, 2011 at 02:51:58AM +0900, TAKAHASHI Motonobu wrote: > 2011/1/13 Kevin Taylor : > > > > Is there a way that we can increment the samba bad password count, when a > > user fails a password on a linux system? I'm looking for ways to get both > > Windows and Linux to simultaneously lock out accounts if they fail so many > > times. We're using an LDAP backend. > > How about "obey pam restrictions = yes" ? > > "obey pam restrictions = yes" means Samba should obey PAM's restriction. This has other benefits, because it allows you to use the session components of various pam modules (e.g. pam_mkhomedir). -- Bruce What would Edward Woodward do? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
2011/1/13 Kevin Taylor : > > Is there a way that we can increment the samba bad password count, when a > user fails a password on a linux system? I'm looking for ways to get both > Windows and Linux to simultaneously lock out accounts if they fail so many > times. We're using an LDAP backend. How about "obey pam restrictions = yes" ? "obey pam restrictions = yes" means Samba should obey PAM's restriction. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] another question about account locking
Is there a way that we can increment the samba bad password count, when a user fails a password on a linux system? I'm looking for ways to get both Windows and Linux to simultaneously lock out accounts if they fail so many times. We're using an LDAP backend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba