Hi I am running ubuntu 8.10 I have a working samba ldap pdc
I now want to use pam to restrict the times when my son can logon to the domain. if I have password encryption yes I can join the domain fine. I have tried to set it up many times but I always get access denied when I try to Joing the domain from xp and vista if password encryption is set to no so pam auth will work. Can anyone help me.

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#

#======================= Global Settings =======================

[global]
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:
* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
passwd program = /usr/bin/passwd %u
dns proxy = no
ldap passwd sync = yes
unix passwd sync = yes
pam passwd sync = yes
logon script = allusers.bat
workgroup = CSGROTON
os level = 20
ldap admin dn = cn=admin,dc=csgroton,dc=local
security = user
add machine script = /usr/sbin/smbldap-useradd -w "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
max log size = 1000
log file = /var/log/samba/log.%m
ldap user suffix = ou=Users
add group script = /usr/sbin/smbldap-groupadd -p "%g"
socket options = TCP_NODELAY
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
username map = /etc/samba/smbusers
encrypt passwords = no
passdb backend = ldapsam:ldap://localhost/

wins support = true
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=csgroton, dc=local
logon path =
add user script = /usr/sbin/smbldap-useradd -m "%u"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
syslog = 0
ldap idmap suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
domain logons = yes

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

# server string is the equivalent of the NT Description field

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

pam login

#display the file /etc/issue before login
auth required pam_issue.so
# only allow root login from ttys listed in /etc/securetty
auth requisite pam_securetty.so
# only allow root login if /etc/nologin exists
auth requisite pam_nologin.so
# include other auth methods common to all services
@include common-auth
# grant additional group access beyond /etc/group
auth optional pam_group.so
# only allow logins during time configured in /etc/security/time.conf
account requisite pam_time.so
# only allow logins to certain users from certain hosts or ttys
account required pam_access.so
# include other account methods common to all services
@include common-account
# set limits on system resource usage (memory, files, CPU time)
session required pam_limits.so
# display the last login time
session optional pam_lastlog.so
# display the message of the day (/etc/motd
session optional pam_motd.so
# display a message if mail is waiting
session optional pam_mail.so standard
# set the selinux security context
session required pam_selinux.so multiple
# include other session methods common to all services
@include common-session
# include password-change methods common to all services
@include common-password

I can honestly tell you that I do not know the root cause of your problem.

The positive however, is I can tell you that you can achieve what you want. Exactly how to get there from you current position is a different matter.

Let me explain.

For some reason, you question piqued my interest, and a good old web search didn't tell me a lot. The only references I could find that seemed useful ere, for example http://readlist.com/lists/lists.samb...a/4/23596.html

So, what I decided to do was to take a working PDC setup I have here at home, and the only change I made was to add

obey pam restrictions = yes

to smb.conf.

I then added a line to /etc/security/time.conf to restrict one of the users to weekdays only.

I then added the restriction to system-auth (commented out below)
With the pam_time.so uncommented, the user cannot log on to the domain. With it commented out, they are back in.

So my suggestion would be to comment out "obey pam restrictions = yes" in your smb.conf and get your controller working. Then try uncommenting it again.

Note that I was connecting from XP.

Here is the general portion of my smb.conf.
Hopefully this helps you somewhat