Also I am not sure these are needed: idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
You really only need these if you are using an authorization source that doesn't provide compatible UIDs and GIDs (winbind). -Ross > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker > Sent: Monday, August 06, 2007 2:19 PM > To: CentOS mailing list > Subject: RE: [CentOS] help with samba and ldap on centos 5 > > > I think you might need the 'obey pam restrictions = yes' in > your smb.conf file too. > > obey pam restrictions (G) > When Samba 3.0 is configured to enable > PAM support (i.e. > --with-pam), this parameter will control > whether or not Samba > should obey PAM's account and session > management directives. The > default behavior is to use PAM for clear > text authentication > only and to ignore any account or session > management. Note that > Samba always ignores PAM for > authentication in the case of > encrypt passwords = yes. The reason is that PAM > modules cannot > support the challenge/response authentication > mechanism needed > in the presence of SMB password encryption. > > Default: obey pam restrictions = no > > -Ross > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Bliss > Sent: Monday, August 06, 2007 2:13 PM > To: CentOS mailing list > Subject: Re: [CentOS] help with samba and ldap on centos 5 > > > This may be related to centos 5, or more likely the > version of samba that it ships with, and the option not to > encrypt passwords: > encrypt passwords = no > > This same smb.conf file works great in centos 4....any > ideas? Thanks. > > Aaron > > Aaron Bliss wrote: > > Ross, > I re-ran authconfig, system-auth now has what > you mentioned, however server still isn't working.....any other ideas? > > Thanks again. > Aaron > > testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[ITS]" > Processing section "[sysadmin2]" > Processing section "[daf]" > Processing section "[first share]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > workgroup = ITSN > server string = filecity2 > encrypt passwords = No > username map = /etc/samba/smbusers > log level = 1 > log file = /var/log/samba/samba.log > max log size = 50 > debug timestamp = No > max xmit = 32768 > socket options = TCP_NODELAY > IPTOS_LOWDELAY SO_RCVBUF=2048 SO_SNDBUF=204 > load printers = No > printcap name = /etc/printcap > show add printer wizard = No > dns proxy = No > wins server = 137.21.7.5 > ldap ssl = no > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template shell = /bin/bash > nt acl support = No > cups options = raw > > [first share] > comment = test share here > path = /export > valid users = abliss > read only = No > > > Ross S. W. Walker wrote: > > > Try running this: > > authconfig --kickstart --enablelocauthorize > > And see if that does the trick, what > you want to see under 'account' > > account required pam_unix.so > broken_shadow > account sufficient pam_localuser.so > account sufficient > pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok > user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > The above command should do the trick. > > -Ross > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Bliss > Sent: Monday, August 06, 2007 11:41 AM > To: CentOS mailing list > Subject: Re: [CentOS] help with > samba and ldap on centos 5 > > > Hi Ross, > I used authconfig to configure > the box. Here are the configs: > > cat /etc/nsswitch.conf | grep -v \# > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus > [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > cat /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be > destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient > pam_unix.so nullok try_first_pass > auth requisite > pam_succeed_if.so uid >= 500 quiet > auth sufficient > pam_ldap.so use_first_pass > auth required pam_deny.so > > account required > pam_unix.so broken_shadow > account sufficient > pam_succeed_if.so uid < 500 quiet > account [default=bad > success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite > pam_cracklib.so try_first_pass retry=3 > password sufficient > pam_unix.so md5 shadow nullok try_first_pass use_authtok > password sufficient > pam_ldap.so use_authtok > password required pam_deny.so > > session required > pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session optional > pam_keyinit.so revoke > session required pam_limits.so > session [success=1 > default=ignore] pam_succeed_if.so service in crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > cat /etc/sysconfig/authconfig > USEWINBINDAUTH=no > USEKERBEROS=no > USESYSNETAUTH=no > FORCESMARTCARD=no > USESMBAUTH=no > USESMARTCARD=no > USELDAPAUTH=yes > USEWINBIND=no > USESHADOW=yes > USEDB=no > USEHESIOD=no > USEPASSWDQC=no > USELDAP=yes > USELOCAUTHORIZE=no > USEMD5=yes > USECRACKLIB=yes > USENIS=no > > Thanks again. > Aaron > > Ross S. W. Walker wrote: > > -----Original > Message----- > From: > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Bliss > Sent: Monday, > August 06, 2007 11:16 AM > To: [email protected] > Subject: > [CentOS] help with samba and ldap on centos 5 > > Hi everyone; > I'm having some trouble with samba on a centos 5 > box; the > box has been > configured to authenticate against an ldap server via > > authconfig....authentication for normal use (console, ssh) works > great....I'm > having some trouble with samba using single ldap > users or > local > users....It's rather weird, shares in which access restrictions > are based upon > ldap groups are working fine, getent group shows local > and ldap > groups, however attempting to assign access to a share for > either a single > ldap user or a local user doesn't work, and > produces the > following error > when trying to hit the share: > > smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User myuser1 ! > > For local > users, I've added local os accounts as well as > accounts in the > samba database > with smbpasswd > Any ideas? > Thanks for your help. > > > > Did you use authconfig > to configure ldap auth or did you manually edit > the PAM database? > > Can you post a copy of > your /etc/sysconfig/authconfig, > /etc/pam.d/system-auth, > and a copy of your /etc/nsswitch.conf? > > -Ross > > > ______________________________________________________________________ > This e-mail, and any > attachments thereto, is intended only for use by > the addressee(s) named > herein and may contain legally privileged > and/or confidential > information. If you are not the intended recipient > of this e-mail, you are > hereby notified that any dissemination, > distribution or copying > of this e-mail, and any attachments thereto, > is strictly prohibited. > If you have received this e-mail in error, > please immediately > notify the sender and permanently delete the > original and any copy > or printout thereof. > > > _______________________________________________ > CentOS mailing list > [email protected] > > http://lists.centos.org/mailman/listinfo/centos > > > ________________________________ > > This e-mail, and any attachments > thereto, is intended only for use by the addressee(s) named > herein and may contain legally privileged and/or confidential > information. If you are not the intended recipient of this > e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments > thereto, is strictly prohibited. If you have received this > e-mail in error, please immediately notify the sender and > permanently delete the original and any copy or printout thereof. > > ________________________________ > > > _______________________________________________ > CentOS mailing list > [email protected] > http://lists.centos.org/mailman/listinfo/centos > > > ________________________________ > > This e-mail, and any attachments thereto, is intended only > for use by the addressee(s) named herein and may contain > legally privileged and/or confidential information. If you > are not the intended recipient of this e-mail, you are hereby > notified that any dissemination, distribution or copying of > this e-mail, and any attachments thereto, is strictly > prohibited. If you have received this e-mail in error, please > immediately notify the sender and permanently delete the > original and any copy or printout thereof. > ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. _______________________________________________ CentOS mailing list [email protected] http://lists.centos.org/mailman/listinfo/centos
