Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 12-19-2008, 09:34 AM   #1
LQ Newbie
Registered: Dec 2008
Posts: 1

Rep: Reputation: 0
Get pam time restrictions working for linux samba domain login.

Hi I am running ubuntu 8.10 I have a working samba ldap pdc
I now want to use pam to restrict the times when my son can logon to the domain. if I have password encryption yes I can join the domain fine. I have tried to set it up many times but I always get access denied when I try to Joing the domain from xp and vista if password encryption is set to no so pam auth will work. Can anyone help me.

# Sample configuration file for the Samba suite for Debian GNU/Linux.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:
* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
passwd program = /usr/bin/passwd %u
dns proxy = no
ldap passwd sync = yes
unix passwd sync = yes
pam passwd sync = yes
logon script = allusers.bat
workgroup = CSGROTON
os level = 20
ldap admin dn = cn=admin,dc=csgroton,dc=local
security = user
add machine script = /usr/sbin/smbldap-useradd -w "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
max log size = 1000
log file = /var/log/samba/log.%m
ldap user suffix = ou=Users
add group script = /usr/sbin/smbldap-groupadd -p "%g"
socket options = TCP_NODELAY
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
username map = /etc/samba/smbusers
encrypt passwords = no
passdb backend = ldapsam:ldap://localhost/

wins support = true
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=csgroton, dc=local
logon path =
add user script = /usr/sbin/smbldap-useradd -m "%u"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
syslog = 0
ldap idmap suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
domain logons = yes

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

# server string is the equivalent of the NT Description field

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

pam login

#display the file /etc/issue before login
auth required
# only allow root login from ttys listed in /etc/securetty
auth requisite
# only allow root login if /etc/nologin exists
auth requisite
# include other auth methods common to all services
@include common-auth
# grant additional group access beyond /etc/group
auth optional
# only allow logins during time configured in /etc/security/time.conf
account requisite
# only allow logins to certain users from certain hosts or ttys
account required
# include other account methods common to all services
@include common-account
# set limits on system resource usage (memory, files, CPU time)
session required
# display the last login time
session optional
# display the message of the day (/etc/motd
session optional
# display a message if mail is waiting
session optional standard
# set the selinux security context
session required multiple
# include other session methods common to all services
@include common-session
# include password-change methods common to all services
@include common-password
Old 12-20-2008, 03:40 AM   #2
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I can honestly tell you that I do not know the root cause of your problem.

The positive however, is I can tell you that you can achieve what you want. Exactly how to get there from you current position is a different matter.

Let me explain.

For some reason, you question piqued my interest, and a good old web search didn't tell me a lot. The only references I could find that seemed useful ere, for example

So, what I decided to do was to take a working PDC setup I have here at home, and the only change I made was to add

obey pam restrictions = yes

to smb.conf.

I then added a line to /etc/security/time.conf to restrict one of the users to weekdays only.

I then added the restriction to system-auth (commented out below)
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

account     required
account     sufficient uid < 500 quiet
account     required
#account requisite

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
With the uncommented, the user cannot log on to the domain. With it commented out, they are back in.

So my suggestion would be to comment out "obey pam restrictions = yes" in your smb.conf and get your controller working. Then try uncommenting it again.

Note that I was connecting from XP.

Here is the general portion of my smb.conf.
        security = user
        passdb backend = tdbsam

        domain master = yes
        domain logons = yes

        # the login script name depends on the machine name
        # the login script name depends on the unix user used
        logon script = %U.bat
        logon path = \\%L\Profiles\%U
        # disables profiles support by specifing an empty path

        add user script = /usr/sbin/useradd "%u" -n -g users
        add group script = /usr/sbin/groupadd "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        delete user script = /usr/sbin/userdel "%u"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        delete group script = /usr/sbin/groupdel "%g"
        obey pam restrictions = yes
        null passwords = yes
        logon drive = l:
        logon home = \\%L\home
        os level = 35

        wins support = yes
Hopefully this helps you somewhat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting pam working with samba (with active directory authentication) kcorupe Linux - Server 3 05-02-2008 10:04 AM
XP clients won't login to samba domain beaker15 Linux - Server 3 02-22-2008 10:48 PM
Time restrictions on Linux. cayuga Linux - Software 1 11-11-2007 05:28 PM
Samba - XP domain login problem Sutekh Linux - Networking 5 05-31-2004 11:14 AM
Samba Domain Login ..Tookers.. Linux - Networking 6 12-10-2002 03:12 PM

All times are GMT -5. The time now is 03:45 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration