ADS, pam_winbind and vsftpd

Greets ... I am not getting it.

I have samba (old one, 3.0.22-11-SUSE-CODE10) in an ADS-context, winbind
works OK ...

I am trying to connect vsftpd to winbind via PAM, this works TOO GOOD ;-)

currently I am able to login to vsftpd with ANY password, that's bad.

I am not understanding that PAM-stuff and I have some pressure to get
that ftp-server up, so please would someone help me out?

My file:

This one is heavily edited now, as I played trial and error for hours.

# cat /etc/pam.d/vsftpd
#%PAM-1.0

# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow
file=/etc/ftpchroot onerr=fail

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_shells.so

account sufficient pam_winbind.so
account required pam_unix2.so

password required       pam_pwcheck.so nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok

session required pam_limits.so
session required pam_unix2.so

---

The logs show (I used a correct user and a wrong password):

Nov  5 09:55:25 comm01 vsftpd: Thu Nov  5 09:55:25 2009 [pid 6323]
CONNECT: Client "MY.IP.HERE"
Nov  5 09:55:32 comm01 pam_winbind[6322]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Nov  5 09:55:32 comm01 pam_winbind[6322]: user `DOM\user' denied access
(incorrect password or invalid membership)
Nov  5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' OK
Nov  5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' granted access

Why does it deny first and then grant access anyway?

Is it a bug in the old samba-release or just my mistake?

Thanks for any help on this, I just don't see it ...

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Stefan G. Weichinger schrieb:

> Is it a bug in the old samba-release or just my mistake?

Should be my mistake. Upgrade samba now, same behavior.
So it is my stupid config ...
S
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Stefan G. Weichinger wrote:
> currently I am able to login to vsftpd with ANY password, that's bad.
>
> I am not understanding that PAM-stuff and I have some pressure to get
> that ftp-server up, so please would someone help me out?

I have working pam-vsftpd configuration

/etc/pam.d/vsftpd contains

auth required pam_winbind.so
account required pam_winbind.so
password required pam_winbind.so
session required pam_winbind.so

and in vsftpd conf I have
pam_service_name=vsftpd

Centos 5.4, samba from Sernet "recent" repo.
Upgrading from 3.0.x to 3.3.x made winbind *a lot faster*, reducing cpu
load.

--
Veiko


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Stefan G. Weichinger schrieb:
> Stefan G. Weichinger schrieb:
>
>> Is it a bug in the old samba-release or just my mistake?
>
> Should be my mistake. Upgrade samba now, same behavior.
> So it is my stupid config ...

And one more follow-up-myself ... but maybe helpful for others searching
the web in the future ...

-->

It works now.

Edited /etc/pam.d/vsftpd to include the common files:

# cat vsftpd
auth include        common-auth
account  include        common-account
password include        common-password
session include        common-session

while those included files are:

# cat common-auth
auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass

# cat common-account
account sufficient pam_winbind.so
account required pam_unix2.so

# cat common-password
password sufficient pam_winbind.so
password required       pam_pwcheck.so nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok

# cat common-session
session required pam_limits.so
session required pam_unix2.so

---

I tested by using right and wrong password, looks OK to me.
Could someone please let me know if this PAM-setup is safe?

Thanks a lot ... Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Veiko Kukk schrieb:

Thank you!

> Centos 5.4, samba from Sernet "recent" repo.
> Upgrading from 3.0.x to 3.3.x made winbind *a lot faster*, reducing cpu
> load.

I was a bit conservative at first and went to 3.0.33 (from 3.0.22) for a
start.

Old box there, I didn't want to break things.
And it's a rather small box with only a few users using the shares so
performance isn't an issue.

Thanks anyway for the info, I might consider this on other servers.

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba