> We are trying to have linux authenticate to linux server running samba > 3.0. We have the XP Pro, 6.2 redhat, and 7.3 redhat machines. They all > authenticate to the linux server but we are having problems with blank > passwords or the user can type any password. We are using pam modules for > the authentication on the client machines. > I have included the config files for the server and the client (smb.conf). > I have also included the pam_modules setup on the clients. We want all > the username and passwords stored on the server. There will not be any > users on the clients their information will be pulled from the server. > This includes telnet, ftp, and logins. We have got most of this working > except for the blank passwords. We have configured this several different > ways. This is our latest idea so this is what is in the lab right now. > > We have gotten that to work but we are having problems with null logins. > In other words if I type a username and leave the password field blank I > still can login. If I put in a password of any kind I still can get in. > Also we have changed so that the null logins are not accepted ( at least > we think) but if you attempted login repeatedly you can still get in by > not typing a password or by typing any password. I am not sure if the > samba PDC does cached logins if so I am not aware of how to turn this off > if this is the case. I sending you my config file to see if you can tell > me if I am going in the right direction and if not how can I correct the > matter. This is a mixed environment so there are 6.2, 7.3 and windows xp > pro machines in the setup. The information that I am sending you deals > with the linux clients as redhat 6.2 with samba 2.2.8 and authenticating > to redhat 7.3 with samba 3.0.0 on the server. > > I am not sure if the pam modules need to be upgraded for redhat 6.2 or if > this is just totally impossible? > I did not include the nsswitch.conf file but it is configured as follows > > > passwd files winbind > groups files winbind > hosts files winbind > > The iptables and ipchains are turned off on the server and client. > > > > <<ftp.txt>> <<sshd.txt>> <<login.txt>> <<passwd.txt>> <<samba.txt>> > <<smb.conf>> <<su.txt>> <<smb_server.conf>> > > > Thanks > > Tameika Reed >
#%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed #this line was changed should be pam_pwdb auth sufficient /lib/security/pam_winbind.so shadow auth required /lib/security/pam_shells.so #this line was changed should be pam_pwdb account required /lib/security/pam_winbind.so session required /lib/security/pam_pwdb.so
#%PAM-1.0 auth required /lib/security/pam_winbind.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_winbind.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_winbind.so shadow use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so
#%PAM-1.0 #Requires logins to be from tty #auth required /lib/security/pam_securetty.so #Passes enviroment variables #auth required /lib/security/pam_env.so #A domain account is sufficient to bypass the rest of the #auth lines auth sufficient /lib/security/pam_winbind.so #if the user doesn't have a domain account then check #for local unix accounts (root, or unix-smb synced accounts) auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok #If everything above fails, deny #auth required /lib/security/pam_deny.so #If the above auth lines fail, deny all logins auth required /lib/security/pam_nologin.so #Check domain account? account sufficient /lib/security/pam_winbind.so #account required /lib/security/pam_unix.so #account required /lib/security/pam_deny.so #password required /lib/security/pam_cracklib.so retry=3 #password sufficient /lib/security/pam_unix.so use_authtok md5 shadow #password required /lib/security/pam_deny.so #Set user limits to resources, ie. cpu, memory, processes, # of #concurrent logins, etc. #session required /lib/security/pam_limits.so #session required /lib/security/pam_unix.so #If the user doesn't have a home directory, then one will be made #in /home/username session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umaks=0022 session optional /lib/security/pam_console.so
#%PAM-1.0 auth required /lib/security/pam_winbind.so shadow account required /lib/security/pam_winbind.so password required /lib/security/pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=3 password required /lib/security/pam_unix.so use_authtok md5 shadow
auth required pam_winbind.so account required pam_winbind.so session required pam_mkhomedir.so skel=/etc/samba/skel umask=0022 password required pam_unix.so
#%PAM-1.0 auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/security/suok auth required /lib/security/pam_wheel.so use uid auth required /lib/security/pam_pwdb.so shadow account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_xauth.so
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
