Anyone?
> From: mlstarlin...@hotmail.com > To: samba@lists.samba.org > Date: Sun, 10 Jul 2011 08:18:52 -0400 > Subject: [Samba] Locking SAMBA ccounts with LDAP backend > > > > Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts > gets locked out the SAMBA account simultaneously gets locked out as well? > All my windows clients are either 2003 or 2008 servers and if I understand > the blurbs below in the samba man page, the "encrypted password" directive > must be set to yes in order for Windows machines to authenticate against > SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore > the directive "obey pam restrictions". Is there any way around this? > > OS: RHEL 5.5 x64 > samba3x-3.5.4-0.70.el5_6.1 > openldap-2.3.43-12.el5_6.7 > > obey pam restrictions (G) > > When Samba 3.0 is configured to enable PAM support (i.e. > --with-pam), this parameter will control whether or not Samba should obey > PAM´s account and > session management directives. The default behavior is to use PAM > for clear text authentication only and to ignore any account or session > management. Note that Samba always ignores PAM for authentication > in the case of encrypt passwords = yes. The reason is that PAM modules cannot > support the challenge/response authentication mechanism needed in > the presence of SMB password encryption. > > encrypt passwords (G) > > This boolean controls whether encrypted passwords will be > negotiated with the client. Note that Windows NT 4.0 SP3 and above and also > Windows 98 > will by default expect encrypted passwords unless a registry entry > is changed. To use encrypted passwords in Samba see the chapter "User > Database" > in the Samba HOWTO Collection. > > MS Windows clients that expect Microsoft encrypted passwords and > that do not have plain text password support enabled will be able to connect > only > to a Samba server that has encrypted password support enabled and > for which the user accounts have a valid encrypted password. Refer to the > smbpasswd command man page for information regarding the creation > of encrypted passwords for user accounts. > > The use of plain text passwords is NOT advised as support for this > feature is no longer maintained in Microsoft Windows products. If you want to > use > plain text passwords you must set this parameter to no. > > In order for encrypted passwords to work correctly smbd(8) must > either have access to a local smbpasswd(5) file (see the smbpasswd(8) program > for > information on how to set up and maintain this file), or set the > security = [server|domain|ads] parameter which causes smbd to authenticate > against > another server. > > -Mike > > Default: encrypt passwords = yes > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
