From: Volker Lendecke on
On Tue, Mar 16, 2010 at 02:14:36PM -0500, Grady Neely wrote:
> I am trying to get my Samba installation to use PAM under
> Ubuntu. I have created the /etc/pam.d/samba, but as far
> as I can tell samba is not using the directives in there.
> I have ssh and netatalk using PAM successfully against a
> Kerberos ticket issuer, so I know my PAM installation is
> working for some services. I am sure I have something
> wrong in my smb.conf as I am a bit of a newbie with samba
> when it comes to PAM.
>
> My /etc/pam.d/samba file is a clone of my netatalk PAM
> file, because my netatalk shares are working just fine.

PAM can not be used by Samba for password checking, because
the PAM API expects to see the user's plain text password.
We never see that unless you're setting "encrypt passwords =
no" which is so higly not recommended that we should
probably disable it at some point.

Volker
From: Grady Neely on
So there is no way to get PAM and SAMBA to work?

If I have a machine that is not a member of an AD, and I do not want it to be, what is the best way to have it send authentication request to a AD Domain server for authentication?

I had hoped for PAM/Kerberos, but that seems like it will not work.


On Mar 16, 2010, at 2:22 PM, Volker Lendecke wrote:

> On Tue, Mar 16, 2010 at 02:14:36PM -0500, Grady Neely wrote:
>> I am trying to get my Samba installation to use PAM under
>> Ubuntu. I have created the /etc/pam.d/samba, but as far
>> as I can tell samba is not using the directives in there.
>> I have ssh and netatalk using PAM successfully against a
>> Kerberos ticket issuer, so I know my PAM installation is
>> working for some services. I am sure I have something
>> wrong in my smb.conf as I am a bit of a newbie with samba
>> when it comes to PAM.
>>
>> My /etc/pam.d/samba file is a clone of my netatalk PAM
>> file, because my netatalk shares are working just fine.
>
> PAM can not be used by Samba for password checking, because
> the PAM API expects to see the user's plain text password.
> We never see that unless you're setting "encrypt passwords =
> no" which is so higly not recommended that we should
> probably disable it at some point.
>
> Volker

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on
On Tue, Mar 16, 2010 at 02:51:44PM -0500, Grady Neely wrote:
> So there is no way to get PAM and SAMBA to work?

For the non-auth related PAM restrictions it should work.

> If I have a machine that is not a member of an AD, and I
> do not want it to be, what is the best way to have it send
> authentication request to a AD Domain server for
> authentication?

You need to be member of the AD to delegate auth, sorry.

Volker
 | 
Pages: 1
Prev: [Samba] PAM with Samba
Next: [Samba] Using PAM