diff options
Diffstat (limited to 'docs/howto/PAM-Authentication-And-Samba.xml')
| -rw-r--r-- | docs/howto/PAM-Authentication-And-Samba.xml | 939 |
1 files changed, 939 insertions, 0 deletions
diff --git a/docs/howto/PAM-Authentication-And-Samba.xml b/docs/howto/PAM-Authentication-And-Samba.xml new file mode 100644 index 0000000000..7e5911bb19 --- /dev/null +++ b/docs/howto/PAM-Authentication-And-Samba.xml @@ -0,0 +1,939 @@ +<chapter id="pam"> +<chapterinfo> + &author.jht; + <author> + <firstname>Stephen</firstname><surname>Langasek</surname> + <affiliation> + <address><email>vorlon@netexpress.net</email></address> + </affiliation> + </author> + <pubdate>May 31, 2003</pubdate> +</chapterinfo> + +<title>PAM-Based Distributed Authentication</title> + +<para> +This chapter should help you to deploy Winbind-based authentication on any PAM-enabled +UNIX/Linux system. Winbind can be used to enable User-Level application access authentication +from any MS Windows NT Domain, MS Windows 200x Active Directory-based +domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access +controls that are appropriate to your Samba configuration. +</para> + +<para> +In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management +possibilities and in particular how to deploy tools like <filename>pam_smbpass.so</filename> to your advantage. +</para> + +<note><para> +The use of Winbind requires more than PAM configuration alone. +Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>, for further information regarding Winbind. +</para></note> + +<sect1> +<title>Features and Benefits</title> + +<para> +A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, +now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, +authorization and resource control services. Prior to the introduction of PAM, a decision +to use an alternative to the system password database (<filename>/etc/passwd</filename>) +would require the provision of alternatives for all programs that provide security services. +Such a choice would involve provision of alternatives to programs such as: <command>login</command>, +<command>passwd</command>, <command>chown</command>, and so on. +</para> + +<para> +PAM provides a mechanism that disconnects these security programs from the underlying +authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file +<filename>/etc/pam.conf</filename> (Solaris), or by editing individual control files that are +located in <filename>/etc/pam.d</filename>. +</para> + +<para> +On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any +authentication backend so long as the appropriate dynamically loadable library modules +are available for it. The backend may be local to the system, or may be centralized on a +remote server. +</para> + +<para> +PAM support modules are available for: +</para> + +<variablelist> + <varlistentry><term><filename>/etc/passwd</filename></term><listitem> + <para> + There are several PAM modules that interact with this standard UNIX user + database. The most common are called: <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename> + and <filename>pam_userdb.so</filename>. + </para> + </listitem></varlistentry> + + <varlistentry><term>Kerberos</term><listitem> + <para> + The <filename>pam_krb5.so</filename> module allows the use of any Kerberos compliant server. + This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially + Microsoft Active Directory (if enabled). + </para> + </listitem></varlistentry> + + <varlistentry><term>LDAP</term><listitem> + <para> + The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2 or v3 compatible backend + server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, + Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. + </para> + </listitem></varlistentry> + + <varlistentry><term>NetWare Bindery</term><listitem> + <para> + The <filename>pam_ncp_auth.so</filename> module allows authentication off any bindery-enabled + NetWare Core Protocol-based server. + </para> + </listitem></varlistentry> + + <varlistentry><term>SMB Password</term><listitem> + <para> + This module, called <filename>pam_smbpass.so</filename>, will allow user authentication off + the passdb backend that is configured in the Samba &smb.conf; file. + </para> + </listitem></varlistentry> + + <varlistentry><term>SMB Server</term><listitem> + <para> + The <filename>pam_smb_auth.so</filename> module is the original MS Windows networking authentication + tool. This module has been somewhat outdated by the Winbind module. + </para> + </listitem></varlistentry> + + <varlistentry><term>Winbind</term><listitem> + <para> + The <filename>pam_winbind.so</filename> module allows Samba to obtain authentication from any + MS Windows Domain Controller. It can just as easily be used to authenticate + users for access to any PAM-enabled application. + </para> + </listitem></varlistentry> + + <varlistentry><term>RADIUS</term><listitem> + <para> + There is a PAM RADIUS (Remote Access Dial-In User Service) authentication + module. In most cases, administrators will need to locate the source code + for this tool and compile and install it themselves. RADIUS protocols are + used by many routers and terminal servers. + </para> + </listitem></varlistentry> +</variablelist> + +<para> +Of the above, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone. +</para> + +<para> +Once configured, these permit a remarkable level of flexibility in the location and use +of distributed Samba Domain Controllers that can provide wide area network bandwidth +efficient authentication services for PAM-capable systems. In effect, this allows the +deployment of centrally managed and maintained distributed authentication from a +single-user account database. +</para> + +</sect1> + +<sect1> +<title>Technical Discussion</title> + +<para> +PAM is designed to provide the system administrator with a great deal of flexibility in +configuration of the privilege granting applications of their system. The local +configuration of system security controlled by PAM is contained in one of two places: +either the single system file, <filename>/etc/pam.conf</filename>, or the +<filename>/etc/pam.d/</filename> directory. +</para> + +<sect2> +<title>PAM Configuration Syntax</title> + +<para> +In this section we discuss the correct syntax of and generic options respected by entries to these files. +PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case +sensitive since they indicate a file's name and reflect the case +dependence of typical file systems. +The case-sensitivity of the arguments to any given module is defined for each module in turn. +</para> + +<para> +In addition to the lines described below, there are two special characters provided for the convenience +of the system administrator: comments are preceded by a <quote>#</quote> and extend to the next end-of-line; also, +module specification lines may be extended with a <quote>\</quote> escaped newline. +</para> + +<para> +If the PAM authentication module (loadable link library file) is located in the +default location, then it is not necessary to specify the path. In the case of +Linux, the default location is <filename>/lib/security</filename>. If the module +is located outside the default, then the path must be specified as: +</para> + +<para> +<programlisting> +auth required /other_path/pam_strange_module.so +</programlisting> +</para> + +<sect3> +<title>Anatomy of <filename>/etc/pam.d</filename> Entries</title> + +<para> +The remaining information in this subsection was taken from the documentation of the Linux-PAM +project. For more information on PAM, see +<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The Official Linux-PAM home page.</ulink> +</para> + +<para> +A general configuration line of the <filename>/etc/pam.conf</filename> file has the following form: +</para> + +<para> +<programlisting> +service-name module-type control-flag module-path args +</programlisting> +</para> + +<para> +Below, we explain the meaning of each of these tokens. The second (and more recently adopted) +way of configuring Linux-PAM is via the contents of the <filename>/etc/pam.d/</filename> directory. +Once we have explained the meaning of the above tokens, we will describe this method. +</para> + +<variablelist> + <varlistentry><term>service-name</term><listitem> + <para> + The name of the service associated with this entry. Frequently, the service name is the conventional + name of the given application. For example, <command>ftpd</command>, <command>rlogind</command> and + <command>su</command>, and so on. + </para> + + <para> + There is a special service-name reserved for defining a default authentication mechanism. It has + the name <parameter>OTHER</parameter> and may be specified in either lower- or upper-case characters. + Note, when there is a module specified for a named service, the <parameter>OTHER</parameter> + entries are ignored. + </para> + </listitem> + </varlistentry> + + <varlistentry><term>module-type</term><listitem> + <para> + One of (currently) four types of module. The four types are as follows: + </para> + + <itemizedlist> + <listitem><para> + <parameter>auth:</parameter> This module type provides two aspects of authenticating the user. + It establishes that the user is who he claims to be by instructing the application + to prompt the user for a password or other means of identification. Secondly, the module can + grant group membership (independently of the <filename>/etc/groups</filename> file discussed + above) or other privileges through its credential granting properties. + </para></listitem> + + <listitem><para> + <parameter>account:</parameter> This module performs non-authentication-based account management. + It is typically used to restrict/permit access to a service based on the time of day, currently + available system resources (maximum number of users) or perhaps the location of the applicant + user <quote>root</quote> login only on the console. + </para></listitem> + + <listitem><para> + <parameter>session:</parameter> Primarily, this module is associated with doing things that need + to be done for the user before and after they can be given service. Such things include the logging + of information concerning the opening and closing of some data exchange with a user, mounting + directories, and so on. + </para></listitem> + + <listitem><para> + <parameter>password:</parameter> This last module type is required for updating the authentication + token associated with the user. Typically, there is one module for each <quote>challenge/response</quote> + -based authentication <parameter>(auth)</parameter> module type. + </para></listitem> + </itemizedlist> + </listitem> + </varlistentry> + + <varlistentry><term>control-flag</term><listitem> + <para> + The control-flag is used to indicate how the PAM library will react to the success or failure of the + module it is associated with. Since modules can be stacked (modules of the same type execute in series, + one after another), the control-flags determine the relative importance of each module. The application + is not made aware of the individual success or failure of modules listed in the + <filename>/etc/pam.conf</filename> file. Instead, it receives a summary success or fail response from + the Linux-PAM library. The order of execution of these modules is that of the entries in the + <filename>/etc/pam.conf</filename> file; earlier entries are executed before later ones. + As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. + </para> + + <para> + The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the + severity of concern associated with the success or failure of a specific module. There are four such + keywords: <parameter>required, requisite, sufficient and optional</parameter>. + </para> + + <para> + The Linux-PAM library interprets these keywords in the following manner: + </para> + + <itemizedlist> + <listitem><para> + <parameter>required:</parameter> This indicates that the success of the module is required for the + module-type facility to succeed. Failure of this module will not be apparent to the user until all + of the remaining modules (of the same module-type) have been executed. + </para></listitem> + + <listitem><para> + <parameter>requisite:</parameter> Like required, however, in the case that such a module returns a + failure, control is directly returned to the application. The return value is that associated with + the first required or requisite module to fail. This flag can be used to protect against the + possibility of a user getting the opportunity to enter a password over an unsafe medium. It is + conceivable that such behavior might inform an attacker of valid accounts on a system. This + possibility should be weighed against the not insignificant concerns of exposing a sensitive + password in a hostile environment. + </para></listitem> + + <listitem><para> + <parameter>sufficient:</parameter> The success of this module is deemed <parameter>sufficient</parameter> to satisfy + the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no + previous required module has failed, no more <quote>stacked</quote> modules of this type are invoked. + (In this case, subsequent required modules are not invoked). A failure of this module is not deemed + as fatal to satisfying the application that this module-type has succeeded. + </para></listitem> + + <listitem><para> + <parameter>optional:</parameter> As its name suggests, this control-flag marks the module as not + being critical to the success or failure of the user's application for service. In general, + Linux-PAM ignores such a module when determining if the module stack will succeed or fail. + However, in the absence of any definite successes or failures of previous or subsequent stacked + modules, this module will determine the nature of the response to the application. One example of + this latter case, is when the other modules return something like PAM_IGNORE. + </para></listitem> + </itemizedlist> + + <para> + The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control + over how the user is authenticated. This form of the control flag is delimited with square brackets and + consists of a series of <parameter>value=action</parameter> tokens: + </para> + +<para><programlisting> +[value1=action1 value2=action2 ...] +</programlisting></para> + + <para> + Here, <parameter>value1</parameter> is one of the following return values: +<screen> +<parameter>success; open_err; symbol_err; service_err; system_err; buf_err;</parameter> +<parameter>perm_denied; auth_err; cred_insufficient; authinfo_unavail;</parameter> +<parameter>user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err;</parameter> +<parameter>cred_unavail; cred_expired; cred_err; no_module_data; conv_err;</parameter> +<parameter>authtok_err; authtok_recover_err; authtok_lock_busy;</parameter> +<parameter>authtok_disable_aging; try_again; ignore; abort; authtok_expired;</parameter> +<parameter>module_unknown; bad_item;</parameter> and <parameter>default</parameter>. +</screen> +</para> + + <para> + The last of these <parameter>(default)</parameter> can be used to set the action for those return values that are not explicitly defined. + </para> + + <para> + The <parameter>action1</parameter> can be a positive integer or one of the following tokens: + <parameter>ignore; ok; done; bad; die;</parameter> and <parameter>reset</parameter>. + A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the + current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated + stack of modules with a number of different paths of execution. Which path is taken can be determined by the + reactions of individual modules. + </para> + + <itemizedlist> + <listitem><para> + <parameter>ignore:</parameter> When used with a stack of modules, the module's return status will not + contribute to the return code the application obtains. + </para></listitem> + + <listitem><para> + <parameter>bad:</parameter> This action indicates that the return code should be thought of as indicative + of the module failing. If this module is the first in the stack to fail, its status value will be used + for that of the whole stack. + </para></listitem> + + <listitem><para> + <parameter>die:</parameter> Equivalent to bad with the side effect of terminating the module stack and + PAM immediately returning to the application. + </para></listitem> + + <listitem><para> + <parameter>ok:</parameter> This tells PAM that the administrator thinks this return code should + contribute directly to the return code of the full stack of modules. In other words, if the former + state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override + this value. Note, if the former state of the stack holds some value that is indicative of a modules + failure, this <parameter>ok</parameter> value will not be used to override that value. + </para></listitem> + + <listitem><para> + <parameter>done:</parameter> Equivalent to <parameter>ok</parameter> with the side effect of terminating the module stack and + PAM immediately returning to the application. + </para></listitem> + + <listitem><para> + <parameter>reset:</parameter> Clears all memory of the state of the module stack and starts again with + the next stacked module. + </para></listitem> + </itemizedlist> + + <para> + Each of the four keywords: <parameter>required; requisite; sufficient;</parameter> and <parameter>optional</parameter>, + have an equivalent expression in terms of the [...] syntax. They are as follows: + </para> + + <para> + <itemizedlist> + <listitem><para> + <parameter>required</parameter> is equivalent to <parameter>[success=ok new_authtok_reqd=ok ignore=ignore default=bad]</parameter>. + </para></listitem> + + <listitem><para> + <parameter>requisite</parameter> is equivalent to <parameter>[success=ok new_authtok_reqd=ok ignore=ignore default=die]</parameter>. + </para></listitem> + + <listitem><para> + <parameter>sufficient</parameter> is equivalent to <parameter>[success=done new_authtok_reqd=done<?latex \linebreak ?> default=ignore]</parameter>. + </para></listitem> + + <listitem><para> + <parameter>optional</parameter> is equivalent to <parameter>[success=ok new_authtok_reqd=ok default=ignore]</parameter>. + </para></listitem> + </itemizedlist> + </para> + + <para> + Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, + the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support + machine-machine authentication using the transport protocol inherent to the client/server application. With the + <parameter>[ ... value=action ... ]</parameter> control syntax, it is possible for an application to be configured + to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication + mode for older, legacy applications. + </para> + </listitem> + </varlistentry> + + <varlistentry><term>module-path</term><listitem> + <para> + The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the + module path is <quote>/</quote>, it is assumed to be a complete path. If this is not the case, the given module path is appended + to the default module path: <filename>/lib/security</filename> (but see the notes above). + </para> + + <para> + The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical + Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments + are ignored by a module, however, when encountering an invalid argument, the module is required to write an error + to syslog(3). For a list of generic options, see the next section. + </para> + + <para> + If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: + </para> + +<para><programlisting> +squid auth required pam_mysql.so user=passwd_query passwd=mada \ +db=eminence [query=select user_name from internet_service where \ +user_name=<quote>%u</quote> and password=PASSWORD(<quote>%p</quote>) and service=<quote>web_proxy</quote>] +</programlisting></para> + + <para> + When using this convention, you can include <quote>[</quote> characters inside the string, and if you wish to have a <quote>]</quote> + character inside the string that will survive the argument parsing, you should use <quote>\[</quote>. In other words: + </para> + +<para><programlisting> +[..[..\]..] --> ..[..].. +</programlisting></para> + + <para> + Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the + side of caution) to make the authentication process fail. A corresponding error is written to the system log files + with a call to syslog(3). + </para> + </listitem> + </varlistentry> +</variablelist> + +</sect3> + +</sect2> + +<sect2> +<title>Example System Configurations</title> + +<para> +The following is an example <filename>/etc/pam.d/login</filename> configuration file. +This example had all options uncommented and is probably not usable +because it stacks many conditions before allowing successful completion +of the login process. Essentially all conditions can be disabled +by commenting them out, except the calls to <filename>pam_pwdb.so</filename>. +</para> + +<sect3> +<title>PAM: Original Login Config</title> + +<para> + <smbfile name="pam-login-default"> + <programlisting> +#%PAM-1.0 +# The PAM configuration file for the <quote>login</quote> service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5 +</programlisting> +</smbfile></para> + +</sect3> + +<sect3> +<title>PAM: Login Using <filename>pam_smbpass</filename></title> + +<para> +PAM allows use of replaceable modules. Those available on a sample system include: +</para> + +<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput> +<programlisting> +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so +</programlisting></para> + +<para> +The following example for the login program replaces the use of +the <filename>pam_pwdb.so</filename> module that uses the system +password database (<filename>/etc/passwd</filename>, +<filename>/etc/shadow</filename>, <filename>/etc/group</filename>) with +the module <filename>pam_smbpass.so</filename>, which uses the Samba +database which contains the Microsoft MD4 encrypted password +hashes. This database is stored in either +<filename>/usr/local/samba/private/smbpasswd</filename>, +<filename>/etc/samba/smbpasswd</filename>, or in +<filename>/etc/samba.d/smbpasswd</filename>, depending on the +Samba implementation for your UNIX/Linux system. The +<filename>pam_smbpass.so</filename> module is provided by +Samba version 2.2.1 or later. It can be compiled by specifying the +<option>--with-pam_smbpass</option> options when running Samba's +<command>configure</command> script. For more information +on the <filename>pam_smbpass</filename> module, see the documentation +in the <filename>source/pam_smbpass</filename> directory of the Samba +source distribution. +</para> + +<para> + <smbfile name="pam-login-smbpass"> + <programlisting> +#%PAM-1.0 +# The PAM configuration file for the <quote>login</quote> service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay +</programlisting></smbfile></para> + +<para> +The following is the PAM configuration file for a particular +Linux system. The default condition uses <filename>pam_pwdb.so</filename>. +</para> + +<para> + <smbfile name="pam-samba-default"> + <programlisting> +#%PAM-1.0 +# The PAM configuration file for the <quote>samba</quote> service +# +auth required pam_pwdb.so nullok nodelay shadow audit +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_pwdb.so shadow md5 +</programlisting></smbfile></para> + +<para> +In the following example, the decision has been made to use the +<command>smbpasswd</command> database even for basic Samba authentication. Such a +decision could also be made for the <command>passwd</command> program and would +thus allow the <command>smbpasswd</command> passwords to be changed using the +<command>passwd</command> program: +</para> + +<para><smbfile name="pam-samba-smbpass"> + <programlisting> +#%PAM-1.0 +# The PAM configuration file for the <quote>samba</quote> service +# +auth required pam_smbpass.so nodelay +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf +</programlisting> +</smbfile></para> + +<note><para>PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within one PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implementations also +provide the <filename>pam_stack.so</filename> module that allows all +authentication to be configured in a single central file. The +<filename>pam_stack.so</filename> method has some devoted followers +on the basis that it allows for easier administration. As with all issues in +life though, every decision makes trade-offs, so you may want to examine the +PAM documentation for further helpful information. +</para></note> + +</sect3> + +</sect2> + +<sect2> +<title>&smb.conf; PAM Configuration</title> + +<para> + There is an option in &smb.conf; called <smbconfoption><name>obey pam restrictions</name></smbconfoption>. +The following is from the online help for this option in SWAT; +</para> + +<para> +When Samba is configured to enable PAM support (i.e., <option>--with-pam</option>), this parameter will +control whether or not Samba should obey PAM's account and session management directives. The default behavior +is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always +ignores PAM for authentication in the case of <smbconfoption><name>encrypt passwords</name><value>yes</value></smbconfoption>. +The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB +password encryption. +</para> + +<para>Default: <smbconfoption><name>obey pam restrictions</name><value>no</value></smbconfoption></para> + +</sect2> + +<sect2> +<title>Remote CIFS Authentication Using <filename>winbindd.so</filename></title> + +<para> +All operating systems depend on the provision of users credentials acceptable to the platform. +UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). +These are both simple integer type numbers that are obtained from a password backend such +as <filename>/etc/passwd</filename>. +</para> + +<para> +Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for +the domain when the user or group is created. To convert the Windows NT user or group into +a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This +is one of the jobs that winbind performs. +</para> + +<para> +As Winbind users and groups are resolved from a server, user and group IDs are allocated +from a specified range. This is done on a first come, first served basis, although all +existing users and groups will be mapped as soon as a client performs a user or group +enumeration command. The allocated UNIX IDs are stored in a database file under the Samba +lock directory and will be remembered. +</para> + +<para> +The astute administrator will realize from this that the combination of <filename>pam_smbpass.so</filename>, +<command>winbindd</command> and a distributed <smbconfoption><name>passdb backend</name><value></value></smbconfoption>, +such as <parameter>ldap</parameter>, will allow the establishment of a centrally managed, distributed user/password +database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have +particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as +the reduction of wide area network authentication traffic. +</para> + +<warning><para> +The RID to UNIX ID database is the only location where the user and group mappings are +stored by <command>winbindd</command>. If this file is deleted or corrupted, there is no way for <command>winbindd</command> +to determine which user and group IDs correspond to Windows NT user and group RIDs. +</para></warning> + +</sect2> + +<sect2> +<title>Password Synchronization Using <filename>pam_smbpass.so</filename></title> + +<para> +<filename>pam_smbpass</filename> is a PAM module that can be used on conforming systems to +keep the <filename>smbpasswd</filename> (Samba password) database in sync with the UNIX +password file. PAM (Pluggable Authentication Modules) is an API supported +under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a +generic interface to authentication mechanisms. +</para> + +<para> +This module authenticates a local <filename>smbpasswd</filename> user database. If you require +support for authenticating against a remote SMB server, or if you are +concerned about the presence of SUID root binaries on your system, it is +recommended that you use <filename>pam_winbind</filename> instead. +</para> + +<para> +Options recognized by this module are shown in <link linkend="smbpassoptions">next table</link>. +<table frame="all" id="smbpassoptions"> + <title>Options recognized by <parameter>pam_smbpass</parameter></title> + <tgroup cols="2" align="left"> + <colspec align="left"/> + <colspec align="justify" colwidth="1*"/> + <tbody> + <row><entry>debug</entry><entry>log more debugging info.</entry></row> + <row><entry>audit</entry><entry>like debug, but also logs unknown usernames.</entry></row> + <row><entry>use_first_pass</entry><entry>do not prompt the user for passwords; take them from PAM_ items instead.</entry></row> + <row><entry>try_first_pass</entry><entry>try to get the password from a previous PAM module fall back to prompting the user.</entry></row> + <row><entry>use_authtok</entry> + <entry>like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</entry></row> + <row><entry>not_set_pass</entry><entry>do not make passwords used by this module available to other modules.</entry></row> + <row><entry>nodelay</entry><entry>do not insert ~1 second delays on authentication failure.</entry></row> + <row><entry>nullok</entry><entry>null passwords are allowed.</entry></row> + <row><entry>nonull</entry><entry>null passwords are not allowed. Used to override the Samba configuration.</entry></row> + <row><entry>migrate</entry><entry>only meaningful in an <quote>auth</quote> context; used to update smbpasswd file with a password used for successful authentication.</entry></row> + <row><entry>smbconf=<replaceable>file</replaceable></entry><entry>specify an alternate path to the &smb.conf; file.</entry></row> + </tbody> +</tgroup> +</table> +</para> + +<para> +The following are examples of the use of <filename>pam_smbpass.so</filename> in the format of Linux +<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this +tool on other platforms will need to adapt this appropriately. +</para> + +<sect3> +<title>Password Synchronization Configuration</title> + +<para> +A sample PAM configuration that shows the use of pam_smbpass to make +sure <filename>private/smbpasswd</filename> is kept in sync when <filename>/etc/passwd (/etc/shadow)</filename> +is changed. Useful when an expired password might be changed by an +application (such as <command>ssh</command>). +</para> + +<para> + <smbfile name="pam-synchronised-password"> + <programlisting> +#%PAM-1.0 +# password-sync +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so +</programlisting></smbfile></para> +</sect3> + +<sect3> +<title>Password Migration Configuration</title> + +<para> +A sample PAM configuration that shows the use of <filename>pam_smbpass</filename> to migrate +from plaintext to encrypted passwords for Samba. Unlike other methods, +this can be used for users who have never connected to Samba shares: +password migration takes place when users <command>ftp</command> in, login using <command>ssh</command>, pop +their mail, and so on. +</para> + +<para><smbfile name="pam-password-migration"> + <programlisting> +#%PAM-1.0 +# password-migration +# +auth requisite pam_nologin.so +# pam_smbpass is called IF pam_unix succeeds. +auth requisite pam_unix.so +auth optional pam_smbpass.so migrate +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password optional pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so +</programlisting></smbfile></para> +</sect3> + +<sect3> +<title>Mature Password Configuration</title> + +<para> +A sample PAM configuration for a mature <filename>smbpasswd</filename> installation. +<filename>private/smbpasswd</filename> is fully populated, and we consider it an error if +the SMB password does not exist or does not match the UNIX password. +</para> + +<para><smbfile name="pam-fallback"> +<programlisting> +#%PAM-1.0 +# password-mature +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so use_authtok use_first_pass +session required pam_unix.so +</programlisting></smbfile></para> +</sect3> + +<sect3> +<title>Kerberos Password Integration Configuration</title> + +<para> +A sample PAM configuration that shows <parameter>pam_smbpass</parameter> used together with +<parameter>pam_krb5</parameter>. This could be useful on a Samba PDC that is also a member of +a Kerberos realm. +</para> + +<para><smbfile name="pam-krb"> + <programlisting> +#%PAM-1.0 +# kdc-pdc +# +auth requisite pam_nologin.so +auth requisite pam_krb5.so +auth optional pam_smbpass.so migrate +account required pam_krb5.so +password requisite pam_cracklib.so retry=3 +password optional pam_smbpass.so nullok use_authtok try_first_pass +password required pam_krb5.so use_authtok try_first_pass +session required pam_krb5.so +</programlisting></smbfile></para> + +</sect3> + +</sect2> + +</sect1> + +<sect1> +<title>Common Errors</title> + +<para> +PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from +the Samba mailing list. +</para> + +<!-- shouldn't this be in the Winbind chapter - Jelmer --> + <sect2> + <title>pam_winbind Problem</title> + + <para> + A user reported: I have the following PAM configuration: + </para> + +<para> + <smbfile name="pam-winbind-erratic"> +<programlisting> +auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass nullok +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +password required /lib/security/pam_stack.so service=system-auth +</programlisting></smbfile> +</para> + + <para> + When I open a new console with [ctrl][alt][F1], I can't log in with my user <quote>pitie</quote>. + I have tried with user <quote>scienceu+pitie</quote> also. + </para> + + <para> + <emphasis>Answer:</emphasis> The problem may lie with your inclusion of <parameter>pam_stack.so + service=system-auth</parameter>. That file often contains a lot of stuff that may + duplicate what you are already doing. Try commenting out the <parameter>pam_stack</parameter> lines + for <parameter>auth</parameter> and <parameter>account</parameter> and see if things work. If they do, look at + <filename>/etc/pam.d/system-auth</filename> and copy only what you need from it into your + <filename>/etc/pam.d/login</filename> file. Alternately, if you want all services to use + Winbind, you can put the Winbind-specific stuff in <filename>/etc/pam.d/system-auth</filename>. + </para> + + </sect2> + + <sect2> + <title>Winbind Is Not Resolving Users and Groups</title> + + <para> + <quote> + My &smb.conf; file is correctly configured. I have specified + <smbconfoption><name>idmap uid</name><value>12000</value></smbconfoption>, + and <smbconfoption><name>idmap gid</name><value>3000-3500</value></smbconfoption> + and <command>winbind</command> is running. When I do the following it all works fine. + </quote> + </para> + +<para><screen> +&rootprompt;<userinput>wbinfo -u</userinput> +MIDEARTH+maryo +MIDEARTH+jackb +MIDEARTH+ameds +... +MIDEARTH+root + +&rootprompt;<userinput>wbinfo -g</userinput> +MIDEARTH+Domain Users +MIDEARTH+Domain Admins +MIDEARTH+Domain Guests +... +MIDEARTH+Accounts + +&rootprompt;<userinput>getent passwd</userinput> +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false +</screen></para> + + <para> + <quote> + But this command fails: + </quote> +<screen> +&rootprompt;<userinput>chown maryo a_file</userinput> +chown: 'maryo': invalid user +</screen> + <quote>This is driving me nuts! What can be wrong?</quote> + </para> + + <para> + <emphasis>Answer:</emphasis> Your system is likely running <command>nscd</command>, the name service + caching daemon. Shut it down, do not restart it! You will find your problem resolved. + </para> + + </sect2> +</sect1> + +</chapter> |