diff options
Diffstat (limited to 'docs/htmldocs/PAM-Authentication-And-Samba.html')
-rw-r--r-- | docs/htmldocs/PAM-Authentication-And-Samba.html | 318 |
1 files changed, 318 insertions, 0 deletions
diff --git a/docs/htmldocs/PAM-Authentication-And-Samba.html b/docs/htmldocs/PAM-Authentication-And-Samba.html new file mode 100644 index 0000000000..6dc815b87b --- /dev/null +++ b/docs/htmldocs/PAM-Authentication-And-Samba.html @@ -0,0 +1,318 @@ +<HTML +><HEAD +><TITLE +>Configuring PAM for distributed but centrally +managed authentication</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="ARTICLE" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="ARTICLE" +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +><A +NAME="PAM" +>Configuring PAM for distributed but centrally +managed authentication</A +></H1 +><HR></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3" +>Samba and PAM</A +></H1 +><P +>A number of Unix systems (eg: Sun Solaris), as well as the +xxxxBSD family and Linux, now utilize the Pluggable Authentication +Modules (PAM) facility to provide all authentication, +authorization and resource control services. Prior to the +introduction of PAM, a decision to use an alternative to +the system password database (<TT +CLASS="FILENAME" +>/etc/passwd</TT +>) +would require the provision of alternatives for all programs that provide +security services. Such a choice would involve provision of +alternatives to such programs as: <B +CLASS="COMMAND" +>login</B +>, +<B +CLASS="COMMAND" +>passwd</B +>, <B +CLASS="COMMAND" +>chown</B +>, etc.</P +><P +>PAM provides a mechanism that disconnects these security programs +from the underlying authentication/authorization infrastructure. +PAM is configured either through one file <TT +CLASS="FILENAME" +>/etc/pam.conf</TT +> (Solaris), +or by editing individual files that are located in <TT +CLASS="FILENAME" +>/etc/pam.d</TT +>.</P +><P +>The following is an example <TT +CLASS="FILENAME" +>/etc/pam.d/login</TT +> configuration file. +This example had all options been uncommented is probably not usable +as it stacks many conditions before allowing successful completion +of the login process. Essentially all conditions can be disabled +by commenting them out except the calls to <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5</PRE +></P +><P +>PAM allows use of replacable modules. Those available on a +sample system include:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>$ /bin/ls /lib/security +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so</PRE +></P +><P +>The following example for the login program replaces the use of +the <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +> module which uses the system +password database (<TT +CLASS="FILENAME" +>/etc/passwd</TT +>, +<TT +CLASS="FILENAME" +>/etc/shadow</TT +>, <TT +CLASS="FILENAME" +>/etc/group</TT +>) with +the module <TT +CLASS="FILENAME" +>pam_smbpass.so</TT +> which uses the Samba +database which contains the Microsoft MD4 encrypted password +hashes. This database is stored in either +<TT +CLASS="FILENAME" +>/usr/local/samba/private/smbpasswd</TT +>, +<TT +CLASS="FILENAME" +>/etc/samba/smbpasswd</TT +>, or in +<TT +CLASS="FILENAME" +>/etc/samba.d/smbpasswd</TT +>, depending on the +Samba implementation for your Unix/Linux system. The +<TT +CLASS="FILENAME" +>pam_smbpass.so</TT +> module is provided by +Samba version 2.2.1 or later. It can be compiled by specifying the +<B +CLASS="COMMAND" +>--with-pam_smbpass</B +> options when running Samba's +<TT +CLASS="FILENAME" +>configure</TT +> script. For more information +on the <TT +CLASS="FILENAME" +>pam_smbpass</TT +> module, see the documentation +in the <TT +CLASS="FILENAME" +>source/pam_smbpass</TT +> directory of the Samba +source distribution.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay</PRE +></P +><P +>The following is the PAM configuration file for a particular +Linux system. The default condition uses <TT +CLASS="FILENAME" +>pam_pwdb.so</TT +>.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit +account required /lib/security/pam_pwdb.so audit nodelay +session required /lib/security/pam_pwdb.so nodelay +password required /lib/security/pam_pwdb.so shadow md5</PRE +></P +><P +>In the following example the decision has been made to use the +smbpasswd database even for basic samba authentication. Such a +decision could also be made for the passwd program and would +thus allow the smbpasswd passwords to be changed using the passwd +program.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required /lib/security/pam_smbpass.so nodelay +account required /lib/security/pam_pwdb.so audit nodelay +session required /lib/security/pam_pwdb.so nodelay +password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE +></P +><P +>Note: PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within on PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implmentations also +provide the <TT +CLASS="FILENAME" +>pam_stack.so</TT +> module that allows all +authentication to be configured in a single central file. The +<TT +CLASS="FILENAME" +>pam_stack.so</TT +> method has some very devoted followers +on the basis that it allows for easier administration. As with all issues in +life though, every decision makes trade-offs, so you may want examine the +PAM documentation for further helpful information.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN47" +>Distributed Authentication</A +></H1 +><P +>The astute administrator will realize from this that the +combination of <TT +CLASS="FILENAME" +>pam_smbpass.so</TT +>, +<B +CLASS="COMMAND" +>winbindd</B +>, and <B +CLASS="COMMAND" +>rsync</B +> (see +<A +HREF="http://rsync.samba.org/" +TARGET="_top" +>http://rsync.samba.org/</A +>) +will allow the establishment of a centrally managed, distributed +user/password database that can also be used by all +PAM (eg: Linux) aware programs and applications. This arrangement +can have particularly potent advantages compared with the +use of Microsoft Active Directory Service (ADS) in so far as +reduction of wide area network authentication traffic.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN54" +>PAM Configuration in smb.conf</A +></H1 +><P +>There is an option in smb.conf called <A +HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS" +TARGET="_top" +>obey pam restrictions</A +>. +The following is from the on-line help for this option in SWAT;</P +><P +>When Samba 2.2 is configure to enable PAM support (i.e. +<TT +CLASS="CONSTANT" +>--with-pam</TT +>), this parameter will +control whether or not Samba should obey PAM's account +and session management directives. The default behavior +is to use PAM for clear text authentication only and to +ignore any account or session management. Note that Samba always +ignores PAM for authentication in the case of +<A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +>encrypt passwords = yes</A +>. +The reason is that PAM modules cannot support the challenge/response +authentication mechanism needed in the presence of SMB +password encryption. </P +><P +>Default: <B +CLASS="COMMAND" +>obey pam restrictions = no</B +></P +></DIV +></DIV +></BODY +></HTML +>
\ No newline at end of file |