I'm not making much progress over here. I agree with the pam_deny item you list below. Putting the pam_deny line in the account settings will definitely prevent me from letting the windows users authenticate. But the issue remains where if the account is locked through the LDAP server, whatever samba is looking for when it queries is enough to satisfy the pam_ldap module's account info.
Removing the pam_ldap line from the account section doesn't make a difference to the linux user logging in, but it won't let samba through....like you mention. We don't want to always fail the account, only when it's locked. Is there something in ldap.conf that can be remapped to read this correctly? > Date: Fri, 14 Jan 2011 03:56:29 +0900 > Subject: Re: [Samba] another question about account locking > From: [email protected] > To: [email protected] > CC: [email protected] > > 2011/1/14 Kevin Taylor <[email protected]>: > > > I did give it a try with no luck. However, I'm not sure that the way the > > pam rules I have set out would cause that to trip anyway. > > > > On most of our linux machines, we'd have the system-auth looking like this > > (what is the default generated by system-config-authentication) > > > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > So, if the LDAP lookup of whatever authentication information fails, then > > the user will be denied. That's fine...but in practice, once the LDAP > > server locks out the account, samba still is able to read what it needs > > from the sambantpassword field, and thus approves the connection. > > Sorry, auth section will not work with Samba, as described in smb.conf(5). > I put pam_deny.so into account section. For example, > /etc/pam.d/common-account on > my lenny box: > > ----- > account required pam_unix.so > account required pam_deny.so > ----- > > This means always FAIL at account section. > > To check if an account is disabled is usually done at account section, I > think. > > --- > TAKAHASHI Motonobu <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
