summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2003-05-01 13:58:23 +0000
committerJelmer Vernooij <jelmer@samba.org>2003-05-01 13:58:23 +0000
commitb39559c4e52b9f83a9f57510e490d0a75dbbe0df (patch)
tree5c03dbf63e6fd1c4781f4fd1eef3ec1e386390a6 /docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
parent866fce117e793e7997c6433bb9289489782a8deb (diff)
downloadsamba-b39559c4e52b9f83a9f57510e490d0a75dbbe0df.tar.gz
samba-b39559c4e52b9f83a9f57510e490d0a75dbbe0df.tar.bz2
samba-b39559c4e52b9f83a9f57510e490d0a75dbbe0df.zip
Merge over Alexanders' conversion to docbook XML
(This used to be commit e75624c382d640747b54ba43f134fa043d23b7fe)
Diffstat (limited to 'docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml')
-rw-r--r--docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml389
1 files changed, 0 insertions, 389 deletions
diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
deleted file mode 100644
index 90a07a13bd..0000000000
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ /dev/null
@@ -1,389 +0,0 @@
-<chapter id="pam">
-<chapterinfo>
- &author.jht;
- <pubdate> (Jun 21 2001) </pubdate>
-</chapterinfo>
-
-<title>PAM Configuration for Centrally Managed Authentication</title>
-
-<sect1>
-<title>Samba and PAM</title>
-
-<para>
-A number of Unix systems (eg: Sun Solaris), as well as the
-xxxxBSD family and Linux, now utilize the Pluggable Authentication
-Modules (PAM) facility to provide all authentication,
-authorization and resource control services. Prior to the
-introduction of PAM, a decision to use an alternative to
-the system password database (<filename>/etc/passwd</filename>)
-would require the provision of alternatives for all programs that provide
-security services. Such a choice would involve provision of
-alternatives to such programs as: <command>login</command>,
-<command>passwd</command>, <command>chown</command>, etc.
-</para>
-
-<para>
-PAM provides a mechanism that disconnects these security programs
-from the underlying authentication/authorization infrastructure.
-PAM is configured either through one file <filename>/etc/pam.conf</filename> (Solaris),
-or by editing individual files that are located in <filename>/etc/pam.d</filename>.
-</para>
-
-<note>
- <para>
- If the PAM authentication module (loadable link library file) is located in the
- default location then it is not necessary to specify the path. In the case of
- Linux, the default location is <filename>/lib/security</filename>. If the module
- is located outside the default then the path must be specified as:
-
- <programlisting>
- auth required /other_path/pam_strange_module.so
- </programlisting>
- </para>
-</note>
-
-<para>
-The following is an example <filename>/etc/pam.d/login</filename> configuration file.
-This example had all options been uncommented is probably not usable
-as it stacks many conditions before allowing successful completion
-of the login process. Essentially all conditions can be disabled
-by commenting them out except the calls to <filename>pam_pwdb.so</filename>.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # The PAM configuration file for the `login' service
- #
- auth required pam_securetty.so
- auth required pam_nologin.so
- # auth required pam_dialup.so
- # auth optional pam_mail.so
- auth required pam_pwdb.so shadow md5
- # account requisite pam_time.so
- account required pam_pwdb.so
- session required pam_pwdb.so
- # session optional pam_lastlog.so
- # password required pam_cracklib.so retry=3
- password required pam_pwdb.so shadow md5
-</programlisting></para>
-
-<para>
-PAM allows use of replacable modules. Those available on a
-sample system include:
-</para>
-
-<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput>
-<programlisting>
- pam_access.so pam_ftp.so pam_limits.so
- pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
- pam_cracklib.so pam_group.so pam_listfile.so
- pam_nologin.so pam_rootok.so pam_tally.so
- pam_deny.so pam_issue.so pam_mail.so
- pam_permit.so pam_securetty.so pam_time.so
- pam_dialup.so pam_lastlog.so pam_mkhomedir.so
- pam_pwdb.so pam_shells.so pam_unix.so
- pam_env.so pam_ldap.so pam_motd.so
- pam_radius.so pam_smbpass.so pam_unix_acct.so
- pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
- pam_userdb.so pam_warn.so pam_unix_session.so
-</programlisting></para>
-
-<para>
-The following example for the login program replaces the use of
-the <filename>pam_pwdb.so</filename> module which uses the system
-password database (<filename>/etc/passwd</filename>,
-<filename>/etc/shadow</filename>, <filename>/etc/group</filename>) with
-the module <filename>pam_smbpass.so</filename> which uses the Samba
-database which contains the Microsoft MD4 encrypted password
-hashes. This database is stored in either
-<filename>/usr/local/samba/private/smbpasswd</filename>,
-<filename>/etc/samba/smbpasswd</filename>, or in
-<filename>/etc/samba.d/smbpasswd</filename>, depending on the
-Samba implementation for your Unix/Linux system. The
-<filename>pam_smbpass.so</filename> module is provided by
-Samba version 2.2.1 or later. It can be compiled by specifying the
-<command>--with-pam_smbpass</command> options when running Samba's
-<filename>configure</filename> script. For more information
-on the <filename>pam_smbpass</filename> module, see the documentation
-in the <filename>source/pam_smbpass</filename> directory of the Samba
-source distribution.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # The PAM configuration file for the `login' service
- #
- auth required pam_smbpass.so nodelay
- account required pam_smbpass.so nodelay
- session required pam_smbpass.so nodelay
- password required pam_smbpass.so nodelay
-</programlisting></para>
-
-<para>
-The following is the PAM configuration file for a particular
-Linux system. The default condition uses <filename>pam_pwdb.so</filename>.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # The PAM configuration file for the `samba' service
- #
- auth required pam_pwdb.so nullok nodelay shadow audit
- account required pam_pwdb.so audit nodelay
- session required pam_pwdb.so nodelay
- password required pam_pwdb.so shadow md5
-</programlisting></para>
-
-<para>
-In the following example the decision has been made to use the
-smbpasswd database even for basic samba authentication. Such a
-decision could also be made for the passwd program and would
-thus allow the smbpasswd passwords to be changed using the passwd
-program.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # The PAM configuration file for the `samba' service
- #
- auth required pam_smbpass.so nodelay
- account required pam_pwdb.so audit nodelay
- session required pam_pwdb.so nodelay
- password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
-</programlisting></para>
-
-<note><para>PAM allows stacking of authentication mechanisms. It is
-also possible to pass information obtained within one PAM module through
-to the next module in the PAM stack. Please refer to the documentation for
-your particular system implementation for details regarding the specific
-capabilities of PAM in this environment. Some Linux implmentations also
-provide the <filename>pam_stack.so</filename> module that allows all
-authentication to be configured in a single central file. The
-<filename>pam_stack.so</filename> method has some very devoted followers
-on the basis that it allows for easier administration. As with all issues in
-life though, every decision makes trade-offs, so you may want examine the
-PAM documentation for further helpful information.
-</para></note>
-
-<sect2>
-<title>PAM Configuration in smb.conf</title>
-
-<para>
-There is an option in smb.conf called <ulink
-url="smb.conf.5.html#OBEYPAMRESTRICTIONS">obey pam restrictions</ulink>.
-The following is from the on-line help for this option in SWAT;
-</para>
-
-<para>
-When Samba is configured to enable PAM support (i.e.
-<constant>--with-pam</constant>), this parameter will
-control whether or not Samba should obey PAM's account
-and session management directives. The default behavior
-is to use PAM for clear text authentication only and to
-ignore any account or session management. Note that Samba always
-ignores PAM for authentication in the case of
-<ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords = yes</ulink>.
-The reason is that PAM modules cannot support the challenge/response
-authentication mechanism needed in the presence of SMB
-password encryption.
-</para>
-
-<para>Default: <command>obey pam restrictions = no</command></para>
-
-</sect2>
-
-<sect2>
-<title>Password Synchronisation using pam_smbpass.so</title>
-
-<para>
-pam_smbpass is a PAM module which can be used on conforming systems to
-keep the smbpasswd (Samba password) database in sync with the unix
-password file. PAM (Pluggable Authentication Modules) is an API supported
-under some Unices, such as Solaris, HPUX and Linux, that provides a
-generic interface to authentication mechanisms.
-</para>
-
-<para>
-For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/
-</para>
-
-<para>
-This module authenticates a local smbpasswd user database. If you require
-support for authenticating against a remote SMB server, or if you're
-concerned about the presence of suid root binaries on your system, it is
-recommended that you use pam_winbind instead.
-</para>
-
-<para><programlisting>
-Options recognized by this module are as follows:
-
- debug - log more debugging info
- audit - like debug, but also logs unknown usernames
- use_first_pass - don't prompt the user for passwords;
- take them from PAM_ items instead
- try_first_pass - try to get the password from a previous
- PAM module, fall back to prompting the user
- use_authtok - like try_first_pass, but *fail* if the new
- PAM_AUTHTOK has not been previously set.
- (intended for stacking password modules only)
- not_set_pass - don't make passwords used by this module
- available to other modules.
- nodelay - don't insert ~1 second delays on authentication
- failure.
- nullok - null passwords are allowed.
- nonull - null passwords are not allowed. Used to
- override the Samba configuration.
- migrate - only meaningful in an "auth" context;
- used to update smbpasswd file with a
- password used for successful authentication.
- smbconf=&lt file &gt - specify an alternate path to the smb.conf
- file.
-</programlisting></para>
-
-<para><programlisting>
-Thanks go to the following people:
-
- * Andrew Morgan &lt morgan@transmeta.com &gt, for providing the Linux-PAM
- framework, without which none of this would have happened
-
- * Christian Gafton &lt gafton@redhat.com &gt and Andrew Morgan again, for the
- pam_pwdb module upon which pam_smbpass was originally based
-
- * Luke Leighton &lt lkcl@switchboard.net &gt for being receptive to the idea,
- and for the occasional good-natured complaint about the project's status
- that keep me working on it :)
-
- * and of course, all the other members of the Samba team
- &lt http://www.samba.org/samba/team.html &gt, for creating a great product
- and for giving this project a purpose
-
- ---------------------
- Stephen Langasek &lt vorlon@netexpress.net &gt
-</programlisting></para>
-
-<para>
-The following are examples of the use of pam_smbpass.so in the format of Linux
-<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this
-tool on other platforms will need to adapt this appropriately.
-</para>
-
-<sect3>
-<title>Password Synchonisation Configuration</title>
-
-<para>
-A sample PAM configuration that shows the use of pam_smbpass to make
-sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
-is changed. Useful when an expired password might be changed by an
-application (such as ssh).
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # password-sync
- #
- auth requisite pam_nologin.so
- auth required pam_unix.so
- account required pam_unix.so
- password requisite pam_cracklib.so retry=3
- password requisite pam_unix.so shadow md5 use_authtok try_first_pass
- password required pam_smbpass.so nullok use_authtok try_first_pass
- session required pam_unix.so
-</programlisting></para>
-</sect3>
-
-<sect3>
-<title>Password Migration Configuration</title>
-
-<para>
-A sample PAM configuration that shows the use of pam_smbpass to migrate
-from plaintext to encrypted passwords for Samba. Unlike other methods,
-this can be used for users who have never connected to Samba shares:
-password migration takes place when users ftp in, login using ssh, pop
-their mail, etc.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # password-migration
- #
- auth requisite pam_nologin.so
- # pam_smbpass is called IFF pam_unix succeeds.
- auth requisite pam_unix.so
- auth optional pam_smbpass.so migrate
- account required pam_unix.so
- password requisite pam_cracklib.so retry=3
- password requisite pam_unix.so shadow md5 use_authtok try_first_pass
- password optional pam_smbpass.so nullok use_authtok try_first_pass
- session required pam_unix.so
-</programlisting></para>
-</sect3>
-
-<sect3>
-<title>Mature Password Configuration</title>
-
-<para>
-A sample PAM configuration for a 'mature' smbpasswd installation.
-private/smbpasswd is fully populated, and we consider it an error if
-the smbpasswd doesn't exist or doesn't match the Unix password.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # password-mature
- #
- auth requisite pam_nologin.so
- auth required pam_unix.so
- account required pam_unix.so
- password requisite pam_cracklib.so retry=3
- password requisite pam_unix.so shadow md5 use_authtok try_first_pass
- password required pam_smbpass.so use_authtok use_first_pass
- session required pam_unix.so
-</programlisting></para>
-</sect3>
-
-<sect3>
-<title>Kerberos Password Integration Configuration</title>
-
-<para>
-A sample PAM configuration that shows pam_smbpass used together with
-pam_krb5. This could be useful on a Samba PDC that is also a member of
-a Kerberos realm.
-</para>
-
-<para><programlisting>
- #%PAM-1.0
- # kdc-pdc
- #
- auth requisite pam_nologin.so
- auth requisite pam_krb5.so
- auth optional pam_smbpass.so migrate
- account required pam_krb5.so
- password requisite pam_cracklib.so retry=3
- password optional pam_smbpass.so nullok use_authtok try_first_pass
- password required pam_krb5.so use_authtok try_first_pass
- session required pam_krb5.so
-</programlisting></para>
-</sect3>
-
-</sect2>
-</sect1>
-
-<sect1>
-<title>Distributed Authentication</title>
-
-<para>
-The astute administrator will realize from this that the
-combination of <filename>pam_smbpass.so</filename>,
-<command>winbindd</command>, and a distributed
-passdb backend, such as ldap, will allow the establishment of a
-centrally managed, distributed
-user/password database that can also be used by all
-PAM (eg: Linux) aware programs and applications. This arrangement
-can have particularly potent advantages compared with the
-use of Microsoft Active Directory Service (ADS) in so far as
-reduction of wide area network authentication traffic.
-</para>
-
-</sect1>
-
-</chapter>