Hi All, I have been using Samba for a long time, as a network administrator and as a network consultant (since 1994). For the first time, I have had someone ask me how to setup Samba to deny access to a user after 3 unsuccessful logon attempts. This is part of a new corporate security policy at a Windows-centric company. I have gotten the Linux server itself to track the failed logon attempts using the pam_tally PAM module, and it does the trick. However, I am sure you know what is coming next......
As everyone on this list is probably aware, the use of encrypted passwords and PAM password authentication are an apparently mutually exclusive options with Samba 2.2.x. This is stated up front in the help for the 'obey pam restrictions' option in the man page I believe. With PAM supported compiled in and enabled (obey pam restrictions = Yes), I can switch to plain-text passwords (encrypted passwords = No), and have Samba authenticate the user via PAM, obeying the pam_tally setup to deny the user access after 3 failed logon attempts. However, the use of encrypted passwords is also part of the corporate security policy at the site in question. With encrypted passwords on, Samba does obey the PAM account authentication rules - it denies access to a user who has already reached the configured number of logon attempts. However, an invalid logon attempt via Samba in this configuration does not increment the failed logon attempt counter maintained by pam_tally.so. So I can try to logon as many times as I want via SMB, without incrementing the counter and disabling the user account. I am hoping that someone on this list has some insight to this issue, or has worked through it. I am wondering if I modified the smbd source code to somehow force the use of PAM even with encryption, if I coudl then somehow use the pam_smb_auth module to authenticate against the Samba server. The help for the pam_smb_auth.so PAM module seems to indicate that it supports encrypted passwords when authenticating against an NT PDC. I am not sure this option is viable though. Any suggestions are welcome. The worst case scenario I see at the moment would be having to downgrade the Samba PDC to a domain member server, and perform all authentication with an NT PDC. That is my least desirable course of action though, as Samba was used to replace NT Server several years ago. NT Server is still sitting on the shelf though, and can be dusted off if that is the only way to achieve the requirements for the security policy. Note that if you have not looked at it, a Windows server (ack!) makes it very easy to control this type stuff. There is a 'Local Security Policy' utility in the NT/2000 control panel. Using this utility, you can in a few clicks set how many attempts are allowed before an account becomes disabled. Certainly much easier to find than the PAM alternative, which took me some digging to find! Alternatively, how difficult would it be to modify Samba to support an option like this directly, within the constructs of the smbpasswd file? Thanks for any help! -- /----------------------------------------------- | Jim Morris | Email: [EMAIL PROTECTED] | | AIM: JFM2001 \-----------------------------------------------
