LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 12-19-2008, 10:34 AM   #1
v2ueha6
LQ Newbie
 
Registered: Dec 2008
Posts: 1

Rep: Reputation: 0
Get pam time restrictions working for linux samba domain login.


Hi I am running ubuntu 8.10 I have a working samba ldap pdc
I now want to use pam to restrict the times when my son can logon to the domain. if I have password encryption yes I can join the domain fine. I have tried to set it up many times but I always get access denied when I try to Joing the domain from xp and vista if password encryption is set to no so pam auth will work. Can anyone help me.

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#

#======================= Global Settings =======================

[global]
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:
* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
passwd program = /usr/bin/passwd %u
dns proxy = no
ldap passwd sync = yes
unix passwd sync = yes
pam passwd sync = yes
logon script = allusers.bat
workgroup = CSGROTON
os level = 20
ldap admin dn = cn=admin,dc=csgroton,dc=local
security = user
add machine script = /usr/sbin/smbldap-useradd -w "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
max log size = 1000
log file = /var/log/samba/log.%m
ldap user suffix = ou=Users
add group script = /usr/sbin/smbldap-groupadd -p "%g"
socket options = TCP_NODELAY
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
username map = /etc/samba/smbusers
encrypt passwords = no
passdb backend = ldapsam:ldap://localhost/

wins support = true
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=csgroton, dc=local
logon path =
add user script = /usr/sbin/smbldap-useradd -m "%u"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
syslog = 0
ldap idmap suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
domain logons = yes

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

# server string is the equivalent of the NT Description field

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

pam login

#display the file /etc/issue before login
auth required pam_issue.so
# only allow root login from ttys listed in /etc/securetty
auth requisite pam_securetty.so
# only allow root login if /etc/nologin exists
auth requisite pam_nologin.so
# include other auth methods common to all services
@include common-auth
# grant additional group access beyond /etc/group
auth optional pam_group.so
# only allow logins during time configured in /etc/security/time.conf
account requisite pam_time.so
# only allow logins to certain users from certain hosts or ttys
account required pam_access.so
# include other account methods common to all services
@include common-account
# set limits on system resource usage (memory, files, CPU time)
session required pam_limits.so
# display the last login time
session optional pam_lastlog.so
# display the message of the day (/etc/motd
session optional pam_motd.so
# display a message if mail is waiting
session optional pam_mail.so standard
# set the selinux security context
session required pam_selinux.so multiple
# include other session methods common to all services
@include common-session
# include password-change methods common to all services
@include common-password
 
Old 12-20-2008, 04:40 AM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I can honestly tell you that I do not know the root cause of your problem.

The positive however, is I can tell you that you can achieve what you want. Exactly how to get there from you current position is a different matter.

Let me explain.

For some reason, you question piqued my interest, and a good old web search didn't tell me a lot. The only references I could find that seemed useful ere, for example http://readlist.com/lists/lists.samb...a/4/23596.html

So, what I decided to do was to take a working PDC setup I have here at home, and the only change I made was to add

obey pam restrictions = yes

to smb.conf.

I then added a line to /etc/security/time.conf to restrict one of the users to weekdays only.

I then added the restriction to system-auth (commented out below)
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
#account requisite pam_time.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
With the pam_time.so uncommented, the user cannot log on to the domain. With it commented out, they are back in.

So my suggestion would be to comment out "obey pam restrictions = yes" in your smb.conf and get your controller working. Then try uncommenting it again.

Note that I was connecting from XP.

Here is the general portion of my smb.conf.
Code:
        security = user
        passdb backend = tdbsam

        domain master = yes
        domain logons = yes

        # the login script name depends on the machine name
        # the login script name depends on the unix user used
        logon script = %U.bat
        logon path = \\%L\Profiles\%U
        # disables profiles support by specifing an empty path

        add user script = /usr/sbin/useradd "%u" -n -g users
        add group script = /usr/sbin/groupadd "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        delete user script = /usr/sbin/userdel "%u"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        delete group script = /usr/sbin/groupdel "%g"
        obey pam restrictions = yes
        null passwords = yes
        logon drive = l:
        logon home = \\%L\home
        os level = 35

        wins support = yes
Hopefully this helps you somewhat
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting pam working with samba (with active directory authentication) kcorupe Linux - Server 3 05-02-2008 11:04 AM
XP clients won't login to samba domain beaker15 Linux - Server 3 02-22-2008 11:48 PM
Time restrictions on Linux. cayuga Linux - Software 1 11-11-2007 06:28 PM
Samba - XP domain login problem Sutekh Linux - Networking 5 05-31-2004 12:14 PM
Samba Domain Login ..Tookers.. Linux - Networking 6 12-10-2002 04:12 PM


All times are GMT -5. The time now is 11:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration