| View previous topic :: View next topic |
| Author |
Message |
scratch
n00b
Joined: 21 Dec 2007
Posts: 10
Location: Iowa
|
 Posted: Fri Dec 21, 2007 3:49 pm Post subject: [Solved...] pam_winbind.so require_membership_of is ignored? |
 |
|
Hi, I'm setting up a Gentoo samba server for our campus 2003 ADS network home directories. Near as I can tell everything is working the way it needs to so I've decided it might be time to lock it down.
To simplify new user creation we've decided that using pam_mkhomedir.so would be a great feature to have the fileserver automagically create their home when they first log in. But we don't want everyone to log in, just the members of filesurfer-users (yes, my naming schemes are all that imaginative).
The obvious first choice was /etc/pam.d/samba:
| Code: |
#%PAM-1.0
# Require membership of filesurfer-users group
account required pam_winbind.so require_membership_of=(SID)
session required pam_winbind.so require_membership_of=(SID)
session optional pam_mkhomedir.so skel=/etc/mside-skel umask=0077
|
The (SID) I'm using is the full output of wbinfo -n filesurfer-users sans "Domain Group(2)". The two members of this group are Faculty and Staff, each of which has all the named user accounts.
I've also tried (in place of SID) "REALM\filesurfer-users" and "REALM+filesurfer-users" as well as several other silly combinations of gibberish to try and make the flag fail I won't list here.
smb.conf is set to obey pam restrictions and to encrypt passwords.
This same setup on a RedHat imap server (require_membership_of) is working just swimmingly.
I've compiled samba with the following use flags:
| Code: |
net-fs/samba-3.0.28 USE="acl ads automount cups doc ldap pam python quotas readline swat syslog winbind -async -caps -examples -fam -ipv6 (-selinux)"
|
Any ideas to why the require_membership_of flag is being ignored? This same setup on our RedHat imap server (require_membership_of) is working just swimmingly which gives me some faith in my configuration.
Thanks!
Shaun
_________________
EOL
Last edited by scratch on Mon Feb 11, 2008 8:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
scratch
n00b
Joined: 21 Dec 2007
Posts: 10
Location: Iowa
|
| Posted: Mon Feb 11, 2008 8:25 pm Post subject: [Solved?] |
|
|
As far as I can tell this is actually a documented limitation of PAM:
| man smb.conf: | obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not
Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear
text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for
authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the chal-
lenge/response authentication mechanism needed in the presence of SMB password encryption.
|
So, while man pam_winbind more or less implies that it will do what I expect I think this might just be an oversight in the documentation. But this flag will work for things such as ssh logins...
| man pam_winbind: | require_membership_of=[SID or NAME]
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be
either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the SID. That name
must have the form: MYDOMAIN\mygroup or MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally.
Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs
a user is a member of with wbinfo --user-sids=SID.
|
Cheers!
_________________
EOL |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
