PAM Active Directory user authentication for Samba shares in RHEL 4

rockfx01 · 07-31-2008, 09:55 AM

I'm having trouble getting user authentication working for Samba shares in RHEL 4.

Basically the way it is set up is as follows:
We have a RHEL 4 server which authenticates users against an Active Directory controller via LDAP/Winbind. The AD server is running W2k3 Server R2 with Microsoft Identity Management for Unix installed. I can getent group/passwd and see the AD users. wbinfo works as well.

The problem we are having is that when we share folders from the RHEL 4 server via samba, it does not authenticate users properly. We have a RHEL 5 server set up exactly the same way and it works just fine. I have narrowed the problem down to the Samba pam module but I don't understand why it works in RHEL 5 and not 4.

Here is the /etc/pam.d/samba file:

Code:

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 10000 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 10000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 quiet
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5.so

If I change "account ... pam_unix.so ..." to 'sufficient' instead of 'required' or remove the line completely, users can connect to the server, but permissions for the shares are definitely not working properly.

In the samba log file for the client computer, I get the follow message when pam_unix is required for account:

Code:

[2008/07/31 15:48:40, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_account(560)
  smb_pam_account: PAM: There was an authentication error for user joe
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : Authentication failure
[2008/07/31 15:48:40, 0] auth/pampass.c:smb_pam_accountcheck(780)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User joe!
[2008/07/31 15:48:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(416)
  PAM account restriction prevents user login

Any suggestions on what I'm doing wrong?

Thanks,
-rockfx01

nosedrum · 11-27-2008, 10:41 AM

Hi,

I have exactly the same problem...
If you have some news please up the thread !

Thx

sleepy0110 · 11-27-2008, 03:24 PM

I would suggest adding:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so

rockfx01 · 12-02-2008, 01:02 PM

It's been a long time since then...

In my Samba PAM file, the session section is slightly different in my current working file (everything else for auth, account, and password entries are the same).

Try this and if it doesn't work, post your smb.conf, ldap.conf, krb5.conf and nsswitch.conf files because the problem is somewhere in there. Unfortunately I don't recall how exactly I solved my original problem.

Code:

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 quiet
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Let me know if you solve it.