Hello, I am trying to follow IDEALx's "Samba3-LDAP PDC Howto" and am having difficulty with the PAM configuration portion of this because i am trying to install on SuSE Linux Enterprise Server 9 and SuSE does not use the pam_stack.so module so there is no catchall system-auth file to edit as the guide describes. Since there is not a system-auth file, i wonder would it be sufficient to do the necessary edit's to the /etc/pam.d/samba file? I know in some cases the /etc/pam.d/other file is used, when a specific config file for a service is not found in the /etc/pam.d directory. Can someone with a better understanding of the pam configuration, tell me which config files (lacking the system-auth file) in the /etc/pam.d directory are needed to make the overall setup work? And are the changes to these files the same as would have occured in the system-auth file? Mike Partyka Stonepath Logistics Systems Administrator (651)405-4300 Desk (651)208-5734 Cell (651)405-4342 Fax
Hello,
I am trying to follow IDEALx's "Samba3-LDAP PDC Howto" and am having difficulty with the PAM configuration portion of this because i am trying to install on SuSE Linux Enterprise Server 9 and SuSE does not use the pam_stack.so module so there is no catchall system-auth file to edit as the guide describes.
Samba3 does not need any change to PAM config for LDAP access. It has it built in. Provided you've set up /etc/ldap.conf and /etc/ldap.secret as well as /etc/nsswitch.conf accordingly, a "getent passwd" should show you your LDAP users as well as the local system users. If that is not working, fix it first. I've always done the config manually, but you could also simply use yast and tell it to use the LDAP server, at least in SuSE 9.1 and supposedly also in 9.2 (no personal experience)
Since there is not a system-auth file, i wonder would it be sufficient to do the necessary edit's to the /etc/pam.d/samba file? I know in some cases the /etc/pam.d/other file is used, when a specific config file for a service is not found in the /etc/pam.d directory.
You don't need to change /etc/pam.d/samba. Samba knows how to access the LDAP server itself. It doesn't need PAM for that. My /etc/pam.d/samba shows the following entries on a system, that uses Samba3+LDAP: #%PAM-1.0 auth required pam_unix.so account required pam_unix.so That's completely sufficient, PROVIDED you adapt your smb.conf as documented on IDEALX's Howto so that the Samba server uses the LDAP backend (passdb ldapsam...) *and* getent passwd (which is equivalent to saying that the "system sees the ldap users") works as explained. By the way: Whenever a PAM module is asked for that is not configured, a message in /var/log/message will appear. I never tinker with any of my systems without having at least a "tail -f /var/log/messages /var/log/warn" running alongside in another windows. You will catch most errors and mistakes early and this will save you lots of time.
Can someone with a better understanding of the pam configuration, tell me which config files (lacking the system-auth file) in the /etc/pam.d directory are needed to make the overall setup work? And are the changes to these files the same as would have occured in the system-auth file?
You don't need any changes there for pure interoperability of Samba 3 with LDAP. You'll need some changes if you also want your LDAP users able to login using SSH or using IMAPS (the last one depending on how you want to solve the authentication. If with sasl, it might not even need a change there either) btw: I think this is a configuration question that hasn't much to do with security. (Especially since PAM is not really involved :-) ) -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
participants (2)
-
Mike Partyka -
Rene Gallati