2011/1/14 Kevin Taylor <[email protected]>: > I did give it a try with no luck. However, I'm not sure that the way the pam > rules I have set out would cause that to trip anyway. > > On most of our linux machines, we'd have the system-auth looking like this > (what is the default generated by system-config-authentication) > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > So, if the LDAP lookup of whatever authentication information fails, then the > user will be denied. That's fine...but in practice, once the LDAP server > locks out the account, samba still is able to read what it needs from the > sambantpassword field, and thus approves the connection.
Sorry, auth section will not work with Samba, as described in smb.conf(5). I put pam_deny.so into account section. For example, /etc/pam.d/common-account on my lenny box: ----- account required pam_unix.so account required pam_deny.so ----- This means always FAIL at account section. To check if an account is disabled is usually done at account section, I think. --- TAKAHASHI Motonobu <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
