1 |
On Thu, 8 Apr 2004 15:57:03 +0200 |
2 |
Paul de Vrieze <pauldv@g.o> wrote: |
3 |
|
4 |
> -----BEGIN PGP SIGNED MESSAGE----- |
5 |
> Hash: SHA1 |
6 |
> |
7 |
> On Thursday 08 April 2004 15:42, Volkov Peter Alexandrovich wrote: |
8 |
> > Hi. |
9 |
> > |
10 |
> > I have Samba server. I'd like to use it as WINS server and, as this |
11 |
> > computer is only samba server, so it's a good idea to make it local |
12 |
> > master browser. It's Ok with configuration of PAM, but some time after |
13 |
> > server was up users became to blame me for bad network browsing. I |
14 |
> > blame PAM. |
15 |
> > |
16 |
> > The first sing was during ssh login. It takes long time to connect on |
17 |
> > a absolutly free server! Then during system startup after starting |
18 |
> > last service everything hangs on >20 seconds and only after this I can |
19 |
> > see login invitation. |
20 |
> > |
21 |
> > Yesterday I rebuilded system from stage 3, and for 1 day everything |
22 |
> > worked very fast (as it must to work) but now again this delay doesn't |
23 |
> > allow users to browse in a normal way (As this computer is local |
24 |
> > master browser (NBT)). |
25 |
> > |
26 |
> > A little experiment to understand that it is really PAM. I've started |
27 |
> > sshd -d to see what is going on. So: file-server root # sshd -d |
28 |
|
29 |
> > As Samba uses PAM for authentification for now I am sure that it is |
30 |
> > PAM that slows down the whole windows networking. |
31 |
> |
32 |
> How is your pam authentication set up? What are the contents |
33 |
> of /etc/pam.d/sshd, /etc/pam.d/system-auth |
34 |
> and /etc/pam.d/system-auth-winbind |
35 |
|
36 |
I did not change the contents of these files. But to be sure here it is: |
37 |
file-server etc # cat /etc/pam.d/sshd |
38 |
#%PAM-1.0 |
39 |
|
40 |
auth required pam_stack.so service=system-auth |
41 |
auth required pam_shells.so |
42 |
auth required pam_nologin.so |
43 |
account required pam_stack.so service=system-auth |
44 |
password required pam_stack.so service=system-auth |
45 |
session required pam_stack.so service=system-auth |
46 |
file-server etc # cat /etc/pam.d/system-auth |
47 |
#%PAM-1.0 |
48 |
|
49 |
auth required /lib/security/pam_env.so |
50 |
auth sufficient /lib/security/pam_unix.so likeauth nullok |
51 |
auth required /lib/security/pam_deny.so |
52 |
|
53 |
account required /lib/security/pam_unix.so |
54 |
|
55 |
password required /lib/security/pam_cracklib.so retry=3 |
56 |
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok |
57 |
password required /lib/security/pam_deny.so |
58 |
|
59 |
session required /lib/security/pam_limits.so |
60 |
session required /lib/security/pam_unix.so |
61 |
file-server etc # cat /etc/pam.d/system-auth-winbind |
62 |
#%PAM-1.0 |
63 |
# $Header: /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 2002/05/06 19:57:08 woodchip Exp $ |
64 |
|
65 |
auth required /lib/security/pam_env.so |
66 |
auth sufficient /lib/security/pam_winbind.so |
67 |
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass |
68 |
auth required /lib/security/pam_deny.so |
69 |
|
70 |
account sufficient /lib/security/pam_winbind.so |
71 |
account required /lib/security/pam_unix.so |
72 |
|
73 |
password required /lib/security/pam_cracklib.so retry=3 |
74 |
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow |
75 |
password required /lib/security/pam_deny.so |
76 |
|
77 |
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
78 |
session required /lib/security/pam_limits.so |
79 |
session required /lib/security/pam_unix.so |
80 |
|
81 |
|
82 |
> If you use system-auth-winbind. Then don't use pam authentication for |
83 |
> samba. |
84 |
|
85 |
I don't know what is system-auth-winbind(/etc/pam.d/system-auth-winbind?), so I guess I don't use it. |
86 |
|
87 |
> Also in general using standard authentication for samba is quite |
88 |
> insecure. |
89 |
|
90 |
What are the better ways to authenticate users then standard way? |
91 |
|
92 |
> It seems that the problem is caused by some kind of |
93 |
> authentication loop. |
94 |
|
95 |
How can I find out this loop? |
96 |
|
97 |
______________________________________ |
98 |
|
99 |
Volkov Peter, <pvolkov@××××××××.su> |
100 |
Moscow State University, Phys. Dep. |
101 |
______________________________________ |
102 |
|
103 |
Linux 2.4.25 i686 |
104 |
Mobile Intel(R) Celeron(R) CPU 1.60GHz |
105 |
|
106 |
-- |
107 |
gentoo-security@g.o mailing list |