diff options
author | John Terpstra <jht@samba.org> | 2003-04-24 00:46:28 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-04-24 00:46:28 +0000 |
commit | 665198ea2ffea3550b6c2fd53a0dfab3dcf05e71 (patch) | |
tree | c56e2e2ec48962fba51c12d509ff0102f5503d0f /docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | |
parent | 203795681cfef4a19887be2b79a28c5031c0ce7d (diff) | |
download | samba-665198ea2ffea3550b6c2fd53a0dfab3dcf05e71.tar.gz samba-665198ea2ffea3550b6c2fd53a0dfab3dcf05e71.tar.bz2 samba-665198ea2ffea3550b6c2fd53a0dfab3dcf05e71.zip |
More updates: Fix typo in VFS docs, added docs on pam_smbpass.so to PAM.
(This used to be commit a1d6d56ba0af75282fb0d90db84ae8bbfa1836e0)
Diffstat (limited to 'docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml')
-rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 223 |
1 files changed, 202 insertions, 21 deletions
diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index ac9385f3de..a95baf0281 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -165,27 +165,7 @@ life though, every decision makes trade-offs, so you may want examine the PAM documentation for further helpful information. </para></note> -</sect1> - -<sect1> -<title>Distributed Authentication</title> - -<para> -The astute administrator will realize from this that the -combination of <filename>pam_smbpass.so</filename>, -<command>winbindd</command>, and a distributed -passdb backend, such as ldap, will allow the establishment of a -centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic. -</para> - -</sect1> - -<sect1> +<sect2> <title>PAM Configuration in smb.conf</title> <para> @@ -210,5 +190,206 @@ password encryption. <para>Default: <command>obey pam restrictions = no</command></para> +</sect2> + +<sect2> +<title>Password Synchronisation using pam_smbpass.so</title> + +<para> +pam_smbpass is a PAM module which can be used on conforming systems to +keep the smbpasswd (Samba password) database in sync with the unix +password file. PAM (Pluggable Authentication Modules) is an API supported +under some Unices, such as Solaris, HPUX and Linux, that provides a +generic interface to authentication mechanisms. +</para> + +<para> +For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/ +</para> + +<para> +This module authenticates a local smbpasswd user database. If you require +support for authenticating against a remote SMB server, or if you're +concerned about the presence of suid root binaries on your system, it is +recommended that you use one of the other two following modules +</para> + +<para><programlisting> + pam_smb - http://www.csn.ul.ie/~airlied/pam_smb/ + authenticates against any remote SMB server + + pam_ntdom - ftp://ftp.samba.org/pub/samba/pam_ntdom/ + authenticates against an NT or Samba domain controller + +Options recognized by this module are as follows: + + debug - log more debugging info + audit - like debug, but also logs unknown usernames + use_first_pass - don't prompt the user for passwords; + take them from PAM_ items instead + try_first_pass - try to get the password from a previous + PAM module, fall back to prompting the user + use_authtok - like try_first_pass, but *fail* if the new + PAM_AUTHTOK has not been previously set. + (intended for stacking password modules only) + not_set_pass - don't make passwords used by this module + available to other modules. + nodelay - don't insert ~1 second delays on authentication + failure. + nullok - null passwords are allowed. + nonull - null passwords are not allowed. Used to + override the Samba configuration. + migrate - only meaningful in an "auth" context; + used to update smbpasswd file with a + password used for successful authentication. + smbconf=< file > - specify an alternate path to the smb.conf + file. +</programlisting><para> + +<para><programlisting> +Thanks go to the following people: + + * Andrew Morgan < morgan@transmeta.com >, for providing the Linux-PAM + framework, without which none of this would have happened + + * Christian Gafton < gafton@redhat.com > and Andrew Morgan again, for the + pam_pwdb module upon which pam_smbpass was originally based + + * Luke Leighton < lkcl@switchboard.net > for being receptive to the idea, + and for the occasional good-natured complaint about the project's status + that keep me working on it :) + + * and of course, all the other members of the Samba team + < http://www.samba.org/samba/team.html >, for creating a great product + and for giving this project a purpose + + --------------------- + Stephen Langasek < vorlon@netexpress.net > +</programlisting></para> + +<para> +The following are examples of the use of pam_smbpass.so in the format of Linux +<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this +tool on other platforms will need to adapt this appropriately. +</para> + +<sect3> +<title>Password Synchonisation Configuration</title> + +<para> +A sample PAM configuration that shows the use of pam_smbpass to make +sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) +is changed. Useful when an expired password might be changed by an +application (such as ssh). +</para> + +<para><programlisting> + #%PAM-1.0 + # password-sync + # + auth requisite pam_nologin.so + auth required pam_unix.so + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password required pam_smbpass.so nullok use_authtok try_first_pass + session required pam_unix.so +</programlisting></para> +</sect3> + +<sect3> +<title>Password Migration Configuration</title> + +<para> +A sample PAM configuration that shows the use of pam_smbpass to migrate +from plaintext to encrypted passwords for Samba. Unlike other methods, +this can be used for users who have never connected to Samba shares: +password migration takes place when users ftp in, login using ssh, pop +their mail, etc. +</para> + +<para><programlisting> + #%PAM-1.0 + # password-migration + # + auth requisite pam_nologin.so + # pam_smbpass is called IFF pam_unix succeeds. + auth requisite pam_unix.so + auth optional pam_smbpass.so migrate + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password optional pam_smbpass.so nullok use_authtok try_first_pass + session required pam_unix.so +</programlisting></para> +</sect3> + +<sect3> +<title>Mature Password Configuration</title> + +<para> +A sample PAM configuration for a 'mature' smbpasswd installation. +private/smbpasswd is fully populated, and we consider it an error if +the smbpasswd doesn't exist or doesn't match the Unix password. +</para> + +<para><programlisting> + #%PAM-1.0 + # password-mature + # + auth requisite pam_nologin.so + auth required pam_unix.so + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password required pam_smbpass.so use_authtok use_first_pass + session required pam_unix.so +</programlisting></para> +</sect3> + +<sect3> +<title>Kerberos Password Integration Configuration</title> + +<para> +A sample PAM configuration that shows pam_smbpass used together with +pam_krb5. This could be useful on a Samba PDC that is also a member of +a Kerberos realm. +</para> + +<para><programlisting> + #%PAM-1.0 + # kdc-pdc + # + auth requisite pam_nologin.so + auth requisite pam_krb5.so + auth optional pam_smbpass.so migrate + account required pam_krb5.so + password requisite pam_cracklib.so retry=3 + password optional pam_smbpass.so nullok use_authtok try_first_pass + password required pam_krb5.so use_authtok try_first_pass + session required pam_krb5.so +</programlisting></para> +</sect3> + +</sect2> </sect1> + +<sect1> +<title>Distributed Authentication</title> + +<para> +The astute administrator will realize from this that the +combination of <filename>pam_smbpass.so</filename>, +<command>winbindd</command>, and a distributed +passdb backend, such as ldap, will allow the establishment of a +centrally managed, distributed +user/password database that can also be used by all +PAM (eg: Linux) aware programs and applications. This arrangement +can have particularly potent advantages compared with the +use of Microsoft Active Directory Service (ADS) in so far as +reduction of wide area network authentication traffic. +</para> + +</sect1> + </chapter> |