Hi,
AD means Active Directory. A user can login with their network accounts through winbind (samba).
Then, to access a samba share you can use any of the Active Directory users (any machine can resolve, them).
You could reproduce it with samba users.
Here is the contents of the relevant PAM configuration files:
=====>Listing of /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient pam_winbind.so
account required pam_unix.so
=====>Listing of /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth requisite pam_mount.so
auth sufficient pam_winbind.so use_first_pass
auth required pam_unix.so likeauth nullok use_first_pass
=====>Listing of /etc/pam.d/common-pammount
# include this file after common-auth and after common-session with
# @include common-pammount
# replace "optional" with "required" if a user must mount the specified
# volumes, for example the home directory
# make sure that there is no PAM module loaded with a "sufficient"
# priority before these entries, else the pam_mount module is not
# executed
# for configuration details about different login programs see
# /usr/share/doc/libpam-mount/README.Debian.gz
auth optional pam_mount.so use_first_pass
session optional pam_mount.so use_first_pass
=====>Listing of /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password required pam_unix.so nullok obscure min=4 max=8 md5
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
=====>Listing of /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_mount.so
session required pam_unix.so
=====>Listing of /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session
Listing of /etc/security/pam_mount.conf
# Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
#
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.
debug 1
mkmountpoint 1
# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7
# Users' local configuration file (if there is none, comment out this
# parameter). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is
# the only valid keyword in these per-user configuration files. If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volume, then users may mount and unmount any volume they own at any
# mount point they own. On some filesystem configurations this may be
# a security flaw so user-defined volumes are not allowed by the example
# pam_mount.conf distributed with pam_mount.
#
# Format: luserconf <file>
luserconf .pam_mount.conf
# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and all others
# permitted.
#
# You may use the wildcard '*' to match all options.
#
# options_allow nosuid,nodev
# options_deny suid,dev
options_allow *
# options_deny *
#
# I recommend not permitting the suid and dev options.
# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require nosuid,nodev
# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
ncpumount /usr/bin/ncpumount %(MNTPT)
# Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount /bin/umount %(MNTPT)
# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
# --bind may be a Linuxism. FIXME: find BSD equivalent.
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
#mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
# Volumes that will be mounted when user triggers pam_mount module
# (usually at login).
#
# Format:
# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
#
# General examples:
# volume user smb krueger public /home/user/krueger - - -
# volume user ncp krueger public /home/user/krueger - - -
# Linux encrypted home directory examples:
# volume user local - /dev/hda123 /home/user loop,encryption=aes - -
# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
# volume user local - /home/user.img - - - -
# volume user local - /home/user.img - - aes-256-ecb /home/user4.key
#
# OpenBSD encrypted home directory example (see also lclmount above):
# volume user local - /home/user.img /home/user svnd0 - -
#
# The last two examples need a line like the following in
# /etc/fstab:
#
# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0
#
# Details:
# Local user configuration can extend this.
# Mount point must be owned by the user.
#
# If there are no servers, mount options, fs key ciphers, etc. you must
# supply a "-"
#
# If a local mount is specified in a user config file, then the user must
# own the device or file being mounted.
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# 1. Create a file containing the volume's password (FS key). If you are
# using pam_mount to mount an loopback encrypted volume, this password
# should may generated by /dev/urandom.
#
# Simple example:
# echo <volume password> | openssl aes-256-ecb > /home/user.key
# Encrypt this file using the user's login password as the key.
#
# Verbose loopback encrypted volume example:
# a. dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB>
# b. dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \
# -<fs key cipher> > /home/user.key
# Encrypt this file using the user's login password as the key.
# c. openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \
# -k <keysize> -p0 /dev/loop0 /home/user.img
# d. mkfs -t ext2 /dev/loop0
# e. umount /dev/loop0
# f. losetup -d /dev/loop0
#
# 3. In pam_mount.conf:
# a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
# b. Set the fs key path variable to the key's path (ie: /home/user.key)
# 4. If a user changes his login password, regenerate the efsk that
# was created in step 1b. A script named passwdehd is provided to do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's
# password.
# Template (or wildcard) volumes
#
# If user is "*", "&" will be replaced by name of the user logging on in the
# volume, mount point, mount options and fs key path fields. "~/*" will be
# replaced with "<user's homedir>/*." In this mode, the user need not
# own the mount point, but it must exist.
#
# volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - -
# volume * smb krueger homes /home/&/remote - - -
# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/&
# Windows 2000, which requires a domain specified, example (thanks John Knox):
# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
volume * smb millet.ad.upcnet.es &\$ /home/&/Personal uid=&,dmask=0750,workgroup=UPCNET,iocharset=iso8859-1,codepage=cp850 - -
volume * smb millet.ad.upcnet.es Grups /home/&/Grups uid=&,dmask=0750,workgroup=UPCNET,iocharset=iso8859-1,codepage=cp850 - -
#20041224 iocharset and codepage do not seem to take effect
Is there enough information? (smb.conf is not important but I attach it at the end)
Thank you,
Pau
On date 07/01/2005 16:13:17 Bastian Kleineidam wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>On Wed, Jan 05, 2005 at 05:37:21PM +0100, Pau Capdevila/Upcnet wrote:
>> Debugging the process (smbd -F -S -d 4) we've seen this when authenticatin
>> with an AD user:
>What means AD? Can you specify the steps to reproduce the problem?
>Note that I have no windows machine available (let alone a network ;).
>So it would help me much to be able to use linux tools on a single
>machine to reproduce this bug.
>
>> pam_mount: error trying to retrieve authtok from auth code
>> smbd: pam_mount.c:122: converse: Assertion «retval != 0 || (resp != ((void
>> *)0) && *resp
>> != ((void *)0) && (*resp)->resp != ((void *)0))» has failed.
>Samba should not react with an assertion to this kind of error, that is
>a little too hard.
>
>> /etc/samba/gdbcommands:1: Error in sourced command file:
>> Previous frame inner to this frame (corrupt stack?)
>Hm, this error indicates the stack frame pointers are corrupt,
>ie. the memory of the process/thread is in a bad shape :)
>Seems that smbd does not handle triggered assertions very well.
>
>> If you comment out everything related to pam_mount from the PAM
>> configuratio files it goes like a charm.
>Can you please send your config PAM files? There should be no private
>or sensitive information in them. If you are concerned about giving
>sensitive information you can either send them directly to me
>([EMAIL PROTECTED]) or delete the sensitive parts and attach them to
>this bug report. Please make a note in the files if you deleted
>something.
>Here is the list of interesting files:
>/etc/security/pam_mount.conf
>/etc/pam.d/samba (and all with @include referenced files)
>
>And if the luserconf entry is activated for a certain user:
>/home/<user>/.pam_mount.conf
>
>And perhaps I will also need the smb.conf file? I think it depends
>on how to reproduce this.
>
>
>Regards,
>Bastian
>
>- --
>,''`. Bastian Kleineidam
>: :' : GnuPG Schlüssel
>`. `' gpg --keyserver wwwkeys.pgp.net --recv-keys 32EC6F3E
>`-
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (GNU/Linux)
>
>iD8DBQFB3qcNeBwlBDLsbz4RAve/AJ9nKym7xet3S0Gm28epTVWXcK9mBACggCG6
>tIRJ0yrDxwASVVXs6jla93A=
>=IDGx
>-----END PGP SIGNATURE-----
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2004/05/17 16:17:32
# Global parameters
[global]
workgroup = UPCNET
realm = ad.upcnet.es
server string = %h server (Samba %v)
security = ADS
encrypt passwords = true
syslog = 0
log file = /var/log/samba/log.%m
netbios name = l%h
max log size = 1000
load printers = No
dns proxy = No
ldap ssl = no
panic action = "" %d
password server = barber.ad.upcnet.es millet.ad.upcnet.es
passdb backend = tdbsam guest
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
winbind separator = +
# winbind enum users = yes
winbind enum users = no
# winbind enum groups = yes
winbind enum groups = no
template shell = /bin/bash
winbind use default domain = Yes
include = /etc/taj/samba.inc.conf
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
