LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-31-2008, 09:55 AM   #1
rockfx01
LQ Newbie
 
Registered: Jul 2008
Posts: 8

Rep: Reputation: 0
PAM Active Directory user authentication for Samba shares in RHEL 4


I'm having trouble getting user authentication working for Samba shares in RHEL 4.

Basically the way it is set up is as follows:
We have a RHEL 4 server which authenticates users against an Active Directory controller via LDAP/Winbind. The AD server is running W2k3 Server R2 with Microsoft Identity Management for Unix installed. I can getent group/passwd and see the AD users. wbinfo works as well.

The problem we are having is that when we share folders from the RHEL 4 server via samba, it does not authenticate users properly. We have a RHEL 5 server set up exactly the same way and it works just fine. I have narrowed the problem down to the Samba pam module but I don't understand why it works in RHEL 5 and not 4.

Here is the /etc/pam.d/samba file:
Code:
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 10000 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 10000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 quiet
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5.so
If I change "account ... pam_unix.so ..." to 'sufficient' instead of 'required' or remove the line completely, users can connect to the server, but permissions for the shares are definitely not working properly.

In the samba log file for the client computer, I get the follow message when pam_unix is required for account:
Code:
[2008/07/31 15:48:40, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_account(560)
  smb_pam_account: PAM: There was an authentication error for user joe
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : Authentication failure
[2008/07/31 15:48:40, 0] auth/pampass.c:smb_pam_accountcheck(780)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User joe!
[2008/07/31 15:48:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(416)
  PAM account restriction prevents user login
Any suggestions on what I'm doing wrong?

Thanks,
-rockfx01
 
Old 11-27-2008, 10:41 AM   #2
nosedrum
LQ Newbie
 
Registered: Nov 2008
Posts: 1

Rep: Reputation: 0
Hi,

I have exactly the same problem...
If you have some news please up the thread !

Thx
 
Old 11-27-2008, 03:24 PM   #3
sleepy0110
LQ Newbie
 
Registered: Sep 2008
Posts: 6

Rep: Reputation: 0
I would suggest adding:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
 
Old 12-02-2008, 01:02 PM   #4
rockfx01
LQ Newbie
 
Registered: Jul 2008
Posts: 8

Original Poster
Rep: Reputation: 0
It's been a long time since then...

In my Samba PAM file, the session section is slightly different in my current working file (everything else for auth, account, and password entries are the same).

Try this and if it doesn't work, post your smb.conf, ldap.conf, krb5.conf and nsswitch.conf files because the problem is somewhere in there. Unfortunately I don't recall how exactly I solved my original problem.

Code:
session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 quiet
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
Let me know if you solve it.
 
  


Reply

Tags
pam, rhel4, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting pam working with samba (with active directory authentication) kcorupe Linux - Server 3 05-02-2008 10:04 AM
Active Directory integration on Samba shares Ziggie Linux - Enterprise 7 10-22-2007 07:58 AM
Samba with Active Directory authentication Ziggie Linux - Enterprise 5 02-02-2006 07:43 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 04:26 AM
samba-authentication with Active Directory sanjeevsagoo Linux - Networking 2 05-07-2004 03:09 AM


All times are GMT -5. The time now is 09:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration