Hi All,
I havent heard a response back to my previous posts so I am now trying
from a "broader" topic.
What I have is the following:
A 2 Form Factor Token Authentication system similar to RSA SecureID
A Linux SAMBA 3.0.14a-Debian
I've got the two systems authenticating against each other with RADIUS
via PAM support. When I tell SAMBA to use this PAM support as well, I
see the following happen:
======
With a known bad password
08:17:17.406519 IP 192.168.0.200.2582 > crypto.radius: RADIUS, Access
Request (1), id: 0x2f length: 90
08:17:19.478763 IP crypto.radius > 192.168.0.200.2582: RADIUS, Access
Reject (3), id: 0x2f length: 20
fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
======
With the secured Token password:
08:18:57.581672 IP 192.168.0.200.2584 > crypto..radius: RADIUS, Access
Request (1), id: 0xb3 length: 90
08:18:58.491265 IP crypto.radius > 192.168.0.200.2584: RADIUS, Access
Accept (2), id: 0xb3 length: 20
08:18:58.531395 IP 192.168.0.200.2585 > crypto.radius: RADIUS, Access
Request (1), id: 0x99 length: 90
08:18:59.108133 IP crypto.radius > 192.168.0.200.2585: RADIUS, Access
Reject (3), id: 0x99 length: 20
fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
public Disk
IPC$ IPC IPC Service (samba file services)
ADMIN$ IPC IPC Service (samba file services)
rhandorf Disk Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available
======
So, why does it auth twice? Why doesnt SAMBA keep the first auth session
as a success, and of course fail on the second when my token has changed?
Attached is the smb.conf file - Someone have some ideas?
Thanks,
r
[global]
workgroup = <snip>
server string = samba file services
netbios name = Fileserver
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
preferred master = True
local master = Yes
domain master = True
dns proxy = yes
remote announce = 192.168.0.255
os level = 40
;domain logons = yes
;logon script = logon.bat
;logon home = \\%G\%U\.profile
name resolve order = wins lmhosts bcast
wins proxy = yes
;preserve case = yes
;short preserve case = yes
wins support= yes
security = user
#must be set to 'no' to use PAM
encrypt passwords = No
update encrypted = No
allow trusted domains = Yes
#min password length = 6
null passwords = No
[homes]
comments = Home Dir
browsable = no
writable = yes
hide dot files = yes
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
write list = domain_admin
[Profiles]
path = /%G/%U/.profile
browseable = no
guest ok = yes
[public]
path = /samba/public
valid users = users
force group = users
writeable = Yes
guest ok = No
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
