Description of Problem: I am unable to get SAMBA to work with the
pam_time.so module. I have the following in /etc/pam.d/samba:
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_time.so
And in /etc/security/time.conf:
I was using that time range for testing.
My log files get this when trying to login to the SAMBA server:
pam_time: couldn't get the tty name
How does SAMBA get the tty name?
How Reproducible: enable pam_time.so in /etc/pam.d/samba
Steps to Reproduce:
1. Log into SAMBA server with a windows client
Actual Results: error in messages / login fails
Expected Results: Denied login during specified time in
/etc/security/time.conf, othewise allow login to SAMBA server
Forgot to mention I am running samba-2.0.8-1.7.1
Samba clients connecting to a server don't get a tty allocated to them (contrast
with telnet, which allocates a tty for each connecting client), so pam_time will
always fail by design.
Samba 2.2.0 and above allocate themselves 'samba' as the tty to work around
this. You will need 2.2.0 for this kind of pam support, as the 2.0 series only
uses PAM for password checking.
Thanks for the info - I'll check out the rawhide version of SAMBA.
The rawhide version works great using pam_time.so. One more question: does
anyone know how I would implement groups? For example, if I wanted to deny
access for a certain group (from /etc/group) for a certain time period, how
would I do this? It works great for listing several users, but it would be nice
to use groups that have already been setup. TIA for any information or links to