Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this?
I'm sure you'll let me know if this question is better suited for the samba lists.
OS: RHEL 5.5 x64 samba3x-3.5.4-0.70.el5_6.1 openldap-2.3.43-12.el5_6.7
obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM´s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.
encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection.
MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts.
The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.
-Mike
Anyone?
From: mlstarling31@hotmail.com To: openldap-technical@openldap.org Subject: Locking SAMBA ccounts with LDAP backend Date: Sun, 10 Jul 2011 08:22:31 -0400
Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this?
I'm sure you'll let me know if this question is better suited for the samba lists.
OS: RHEL 5.5 x64 samba3x-3.5.4-0.70.el5_6.1 openldap-2.3.43-12.el5_6.7
obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM´s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.
encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection.
MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts.
The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.
-Mike
--On Monday, July 11, 2011 10:14:03 PM -0400 Michael Starling mlstarling31@hotmail.com wrote:
Anyone?
This is for either a pam list or a samba list.
If it was me I would try fooling around with pam_groupdn and pam_member_attribute in pam_ldap.conf.
Bill
From: mlstarling31@hotmail.com To: openldap-technical@openldap.org Subject: Locking SAMBA ccounts with LDAP backend Date: Sun, 10 Jul 2011 08:22:31 -0400
Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this?
I'm sure you'll let me know if this question is better suited for the samba lists.
OS: RHEL 5.5 x64 samba3x-3.5.4-0.70.el5_6.1 openldap-2.3.43-12.el5_6.7
obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM´s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.
encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection.
MSWindows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts.
The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.
-Mike
openldap-technical@openldap.org
-
Bill MacAllister -
Michael Starling