summaryrefslogtreecommitdiff
path: root/docs/htmldocs/PAM-Authentication-And-Samba.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2002-10-25 15:15:32 +0000
committerGerald Carter <jerry@samba.org>2002-10-25 15:15:32 +0000
commitad0e01e75059bedde6400529f1a5193ef9735e9b (patch)
tree9d5dd6433ca7b564a7f29a44f4bed3168da35da3 /docs/htmldocs/PAM-Authentication-And-Samba.html
parent48216962c4bd2ca71d1900d11d6f4d5e7de83b80 (diff)
downloadsamba-ad0e01e75059bedde6400529f1a5193ef9735e9b.tar.gz
samba-ad0e01e75059bedde6400529f1a5193ef9735e9b.tar.bz2
samba-ad0e01e75059bedde6400529f1a5193ef9735e9b.zip
sync from HEAD
(This used to be commit 2eb7f0acd761a11bb0f24010347247074c5ed49a)
Diffstat (limited to 'docs/htmldocs/PAM-Authentication-And-Samba.html')
-rw-r--r--docs/htmldocs/PAM-Authentication-And-Samba.html318
1 files changed, 0 insertions, 318 deletions
diff --git a/docs/htmldocs/PAM-Authentication-And-Samba.html b/docs/htmldocs/PAM-Authentication-And-Samba.html
deleted file mode 100644
index 6dc815b87b..0000000000
--- a/docs/htmldocs/PAM-Authentication-And-Samba.html
+++ /dev/null
@@ -1,318 +0,0 @@
-<HTML
-><HEAD
-><TITLE
->Configuring PAM for distributed but centrally
-managed authentication</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
-><BODY
-CLASS="ARTICLE"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="ARTICLE"
-><DIV
-CLASS="TITLEPAGE"
-><H1
-CLASS="TITLE"
-><A
-NAME="PAM"
->Configuring PAM for distributed but centrally
-managed authentication</A
-></H1
-><HR></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN3"
->Samba and PAM</A
-></H1
-><P
->A number of Unix systems (eg: Sun Solaris), as well as the
-xxxxBSD family and Linux, now utilize the Pluggable Authentication
-Modules (PAM) facility to provide all authentication,
-authorization and resource control services. Prior to the
-introduction of PAM, a decision to use an alternative to
-the system password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->)
-would require the provision of alternatives for all programs that provide
-security services. Such a choice would involve provision of
-alternatives to such programs as: <B
-CLASS="COMMAND"
->login</B
->,
-<B
-CLASS="COMMAND"
->passwd</B
->, <B
-CLASS="COMMAND"
->chown</B
->, etc.</P
-><P
->PAM provides a mechanism that disconnects these security programs
-from the underlying authentication/authorization infrastructure.
-PAM is configured either through one file <TT
-CLASS="FILENAME"
->/etc/pam.conf</TT
-> (Solaris),
-or by editing individual files that are located in <TT
-CLASS="FILENAME"
->/etc/pam.d</TT
->.</P
-><P
->The following is an example <TT
-CLASS="FILENAME"
->/etc/pam.d/login</TT
-> configuration file.
-This example had all options been uncommented is probably not usable
-as it stacks many conditions before allowing successful completion
-of the login process. Essentially all conditions can be disabled
-by commenting them out except the calls to <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_securetty.so
-auth required pam_nologin.so
-# auth required pam_dialup.so
-# auth optional pam_mail.so
-auth required pam_pwdb.so shadow md5
-# account requisite pam_time.so
-account required pam_pwdb.so
-session required pam_pwdb.so
-# session optional pam_lastlog.so
-# password required pam_cracklib.so retry=3
-password required pam_pwdb.so shadow md5</PRE
-></P
-><P
->PAM allows use of replacable modules. Those available on a
-sample system include:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->$ /bin/ls /lib/security
-pam_access.so pam_ftp.so pam_limits.so
-pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
-pam_cracklib.so pam_group.so pam_listfile.so
-pam_nologin.so pam_rootok.so pam_tally.so
-pam_deny.so pam_issue.so pam_mail.so
-pam_permit.so pam_securetty.so pam_time.so
-pam_dialup.so pam_lastlog.so pam_mkhomedir.so
-pam_pwdb.so pam_shells.so pam_unix.so
-pam_env.so pam_ldap.so pam_motd.so
-pam_radius.so pam_smbpass.so pam_unix_acct.so
-pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
-pam_userdb.so pam_warn.so pam_unix_session.so</PRE
-></P
-><P
->The following example for the login program replaces the use of
-the <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
-> module which uses the system
-password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/shadow</TT
->, <TT
-CLASS="FILENAME"
->/etc/group</TT
->) with
-the module <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> which uses the Samba
-database which contains the Microsoft MD4 encrypted password
-hashes. This database is stored in either
-<TT
-CLASS="FILENAME"
->/usr/local/samba/private/smbpasswd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/samba/smbpasswd</TT
->, or in
-<TT
-CLASS="FILENAME"
->/etc/samba.d/smbpasswd</TT
->, depending on the
-Samba implementation for your Unix/Linux system. The
-<TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> module is provided by
-Samba version 2.2.1 or later. It can be compiled by specifying the
-<B
-CLASS="COMMAND"
->--with-pam_smbpass</B
-> options when running Samba's
-<TT
-CLASS="FILENAME"
->configure</TT
-> script. For more information
-on the <TT
-CLASS="FILENAME"
->pam_smbpass</TT
-> module, see the documentation
-in the <TT
-CLASS="FILENAME"
->source/pam_smbpass</TT
-> directory of the Samba
-source distribution.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_smbpass.so nodelay
-account required pam_smbpass.so nodelay
-session required pam_smbpass.so nodelay
-password required pam_smbpass.so nodelay</PRE
-></P
-><P
->The following is the PAM configuration file for a particular
-Linux system. The default condition uses <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_pwdb.so shadow md5</PRE
-></P
-><P
->In the following example the decision has been made to use the
-smbpasswd database even for basic samba authentication. Such a
-decision could also be made for the passwd program and would
-thus allow the smbpasswd passwords to be changed using the passwd
-program.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_smbpass.so nodelay
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
-></P
-><P
->Note: PAM allows stacking of authentication mechanisms. It is
-also possible to pass information obtained within on PAM module through
-to the next module in the PAM stack. Please refer to the documentation for
-your particular system implementation for details regarding the specific
-capabilities of PAM in this environment. Some Linux implmentations also
-provide the <TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> module that allows all
-authentication to be configured in a single central file. The
-<TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> method has some very devoted followers
-on the basis that it allows for easier administration. As with all issues in
-life though, every decision makes trade-offs, so you may want examine the
-PAM documentation for further helpful information.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H1
-CLASS="SECT1"
-><A
-NAME="AEN47"
->Distributed Authentication</A
-></H1
-><P
->The astute administrator will realize from this that the
-combination of <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
->,
-<B
-CLASS="COMMAND"
->winbindd</B
->, and <B
-CLASS="COMMAND"
->rsync</B
-> (see
-<A
-HREF="http://rsync.samba.org/"
-TARGET="_top"
->http://rsync.samba.org/</A
->)
-will allow the establishment of a centrally managed, distributed
-user/password database that can also be used by all
-PAM (eg: Linux) aware programs and applications. This arrangement
-can have particularly potent advantages compared with the
-use of Microsoft Active Directory Service (ADS) in so far as
-reduction of wide area network authentication traffic.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H1
-CLASS="SECT1"
-><A
-NAME="AEN54"
->PAM Configuration in smb.conf</A
-></H1
-><P
->There is an option in smb.conf called <A
-HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
-TARGET="_top"
->obey pam restrictions</A
->.
-The following is from the on-line help for this option in SWAT;</P
-><P
->When Samba 2.2 is configure to enable PAM support (i.e.
-<TT
-CLASS="CONSTANT"
->--with-pam</TT
->), this parameter will
-control whether or not Samba should obey PAM's account
-and session management directives. The default behavior
-is to use PAM for clear text authentication only and to
-ignore any account or session management. Note that Samba always
-ignores PAM for authentication in the case of
-<A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
->encrypt passwords = yes</A
->.
-The reason is that PAM modules cannot support the challenge/response
-authentication mechanism needed in the presence of SMB
-password encryption. </P
-><P
->Default: <B
-CLASS="COMMAND"
->obey pam restrictions = no</B
-></P
-></DIV
-></DIV
-></BODY
-></HTML
-> \ No newline at end of file