[Nottingham] samba/pam

Graeme Fowler graeme at graemef.net
Sat Jan 1 21:33:57 GMT 2005 

On Sat, 1 Jan 2005, Mike Cardwell wrote:
> I am trying to get Samba to work with pam_mysql so when a user tries to 
> access a share, it authenticates them from a MySQL database.
<snip>
> [testshare]
>          comment = testshare
>          path = /home/testshare/%U
>          writeable = Yes
>          browseable = No
>          hide dot files = yes
>          guest ok = no
>          create mask = 0777
>          directory mask = 0777
>          root preexec = mkdir /home/testshare/%U &>/dev/null

So... you're saying guest logins are not permitted. Dumb question follows 
below!

> auth required pam_mysql.so user=USERNAME passwd=PASSWORD host=LOCALHOST
> db=DATABASE usercolumn=user_id crypt=2 passwdcolumn=password table=user
> 
> account required pam_mysql.so user=USERNAME passwd=PASSWORD host=LOCALHOST
> db=DATABASE usercolumn=user_id crypt=2 passwdcolumn=password table=user
> 
> password required pam_mysql.so user=USERNAME passwd=PASSWORD 
> host=LOCALHOST
> db=DATABASE usercolumn=user_id crypt=2 passwdcolumn=password table=user
> 
> session required pam_mysql.so user=USERNAME passwd=PASSWORD host=LOCALHOST
> db=DATABASE usercolumn=user_id crypt=2 passwdcolumn=password table=user
<snip> 
> mike at server:~$ smbclient //localhost/testshare -U 2
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> Here is the error message from log.smbd:
> 
> [2005/01/01 19:55:32, 0] auth/pampass.c:smb_pam_passcheck(810)
>    smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User 2 !

...so the users aren't UNIX users at all; do we assume at this point that 
there's no corresponding UID/GID in the PAM database? If that's the case, how 
does samba know who to give/not give file access permissions to?

It could be the case that the auth is actually working, but it fails to 
complete inside samba because it cannot map the user correctly - as you 
knocked guest access on the head, that would very much be the case.

Try with "guest ok = yes", and see what happens.

Failing that, strace is probably your best friend here. It should, ideally, 
point to where the auth failure is coming from. I'd expect to find a UID/GID 
problem from it. You might end up adding a mysql section to your pam config 
for "system" users, but not allow them any access other then via Samba. 
Therein lies one of the problems of PAM - it's so pluggable and modular it 
gets stupidly complex at times!

Graeme

More information about the Nottingham mailing list