Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

[Samba] ADS, pam_winbind and vsftpd

  
   Soft32 Home -> Linux -> Samba RSS
Next:  [PATCH] cpumask: use struct cpumask rather than t..  
Author Message
Stefan G. Weichinger

External


Since: Aug 21, 2006
Posts: 69



(Msg. 1) Posted: Thu Nov 05, 2009 7:21 am
Post subject: [Samba] ADS, pam_winbind and vsftpd
Archived from groups: linux>samba (more info?)
Greets ... I am not getting it.

I have samba (old one, 3.0.22-11-SUSE-CODE10) in an ADS-context, winbind
works OK ...

I am trying to connect vsftpd to winbind via PAM, this works TOO GOOD Wink

currently I am able to login to vsftpd with ANY password, that's bad.

I am not understanding that PAM-stuff and I have some pressure to get
that ftp-server up, so please would someone help me out?

My file:

This one is heavily edited now, as I played trial and error for hours.

# cat /etc/pam.d/vsftpd
#%PAM-1.0

# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow
file=/etc/ftpchroot onerr=fail

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_shells.so

account sufficient pam_winbind.so
account required pam_unix2.so

password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok

session required pam_limits.so
session required pam_unix2.so

---

The logs show (I used a correct user and a wrong password):

Nov 5 09:55:25 comm01 vsftpd: Thu Nov 5 09:55:25 2009 [pid 6323]
CONNECT: Client "MY.IP.HERE"
Nov 5 09:55:32 comm01 pam_winbind[6322]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Nov 5 09:55:32 comm01 pam_winbind[6322]: user `DOM\user' denied access
(incorrect password or invalid membership)
Nov 5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' OK
Nov 5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' granted access

Why does it deny first and then grant access anyway?

Is it a bug in the old samba-release or just my mistake?

Thanks for any help on this, I just don't see it ...

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Login to vote
Stefan G. Weichinger

External


Since: Aug 21, 2006
Posts: 69



(Msg. 2) Posted: Thu Nov 05, 2009 7:21 am
Post subject: Re: [Samba] ADS, pam_winbind and vsftpd [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Veiko Kukk schrieb:

> I have working pam-vsftpd configuration
>
> /etc/pam.d/vsftpd contains
>
> auth required pam_winbind.so
> account required pam_winbind.so
> password required pam_winbind.so
> session required pam_winbind.so
>
> and in vsftpd conf I have
> pam_service_name=vsftpd

Thank you!

> Centos 5.4, samba from Sernet "recent" repo.
> Upgrading from 3.0.x to 3.3.x made winbind *a lot faster*, reducing cpu
> load.

I was a bit conservative at first and went to 3.0.33 (from 3.0.22) for a
start.

Old box there, I didn't want to break things.
And it's a rather small box with only a few users using the shares so
performance isn't an issue.

Thanks anyway for the info, I might consider this on other servers.

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Login to vote
Stefan G. Weichinger

External


Since: Aug 21, 2006
Posts: 69



(Msg. 3) Posted: Thu Nov 05, 2009 7:21 am
Post subject: Re: [Samba] ADS, pam_winbind and vsftpd [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Stefan G. Weichinger schrieb:

> Is it a bug in the old samba-release or just my mistake?

Should be my mistake. Upgrade samba now, same behavior.
So it is my stupid config ...
S
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Login to vote
Veiko Kukk

External


Since: Nov 05, 2009
Posts: 1



(Msg. 4) Posted: Thu Nov 05, 2009 7:21 am
Post subject: Re: [Samba] ADS, pam_winbind and vsftpd [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Stefan G. Weichinger wrote:
> currently I am able to login to vsftpd with ANY password, that's bad.
>
> I am not understanding that PAM-stuff and I have some pressure to get
> that ftp-server up, so please would someone help me out?

I have working pam-vsftpd configuration

/etc/pam.d/vsftpd contains

auth required pam_winbind.so
account required pam_winbind.so
password required pam_winbind.so
session required pam_winbind.so

and in vsftpd conf I have
pam_service_name=vsftpd

Centos 5.4, samba from Sernet "recent" repo.
Upgrading from 3.0.x to 3.3.x made winbind *a lot faster*, reducing cpu
load.

--
Veiko


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Login to vote
Stefan G. Weichinger

External


Since: Aug 21, 2006
Posts: 69



(Msg. 5) Posted: Thu Nov 05, 2009 7:21 am
Post subject: Re: [Samba] ADS, pam_winbind and vsftpd [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Stefan G. Weichinger schrieb:
> Stefan G. Weichinger schrieb:
>
>> Is it a bug in the old samba-release or just my mistake?
>
> Should be my mistake. Upgrade samba now, same behavior.
> So it is my stupid config ...

And one more follow-up-myself ... but maybe helpful for others searching
the web in the future ...

-->

It works now.

Edited /etc/pam.d/vsftpd to include the common files:

# cat vsftpd
auth include common-auth
account include common-account
password include common-password
session include common-session

while those included files are:

# cat common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

# cat common-account
account sufficient pam_winbind.so
account required pam_unix2.so

# cat common-password
password sufficient pam_winbind.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok

# cat common-session
session required pam_limits.so
session required pam_unix2.so

---

I tested by using right and wrong password, looks OK to me.
Could someone please let me know if this PAM-setup is safe?

Thanks a lot ... Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Login to vote
Display posts from previous:   
Related Topics:
[Samba] pam_winbind - Hello, I am at my wits end with this... could someone please post a working /etc/pam.d/login and system-auth file for...

[Samba] pam_winbind - I have an environment at home with the following: 1. Samba PDC 2.27A 2. Windows XP Pro, login in to the domain 3...

[Samba] pam_winbind problems - Hello, I am have some interesting problems with the pam_winbind portion of samba 3.1. wbinfo -u and getent passwd works...

[Samba] pam_winbind for mail server - I'm using pam_winbind to authenticate users on my mailserver. The problem I'm having is that it authenticates ANY user....

[Samba] Stacking pam_kerberos and pam_winbind modules - pam_winbind expects "DOAMIN\name" for authentication, but pam_kerberos expects just "name". Is ther...

[Samba] pam_winbind: Internal module error - Hiya, I'm using Fedora Test 2 and Samba 3.0.0-15 packages from Redhat/Fedora rawhide with a Windows 2003 Server. wbinf...
       Soft32 Home -> Linux -> Samba All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
  Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]