diff options
Diffstat (limited to 'docs/htmldocs/pam.html')
| -rw-r--r-- | docs/htmldocs/pam.html | 560 |
1 files changed, 0 insertions, 560 deletions
diff --git a/docs/htmldocs/pam.html b/docs/htmldocs/pam.html deleted file mode 100644 index f41a9bc5c8..0000000000 --- a/docs/htmldocs/pam.html +++ /dev/null @@ -1,560 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 25. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="pam.html#id2958910">Features and Benefits</a></dt><dt><a href="pam.html#id2959235">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2959266">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2960262">Example System Configurations</a></dt><dt><a href="pam.html#id2960612">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2960701">Remote CIFS Authentication Using winbindd.so</a></dt><dt><a href="pam.html#id2960824">Password Synchronization Using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2961283">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2961296">pam_winbind Problem</a></dt><dt><a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></div><p> -This chapter should help you to deploy Winbind-based authentication on any PAM-enabled -UNIX/Linux system. Winbind can be used to enable User-Level application access authentication -from any MS Windows NT Domain, MS Windows 200x Active Directory-based -domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access -controls that are appropriate to your Samba configuration. -</p><p> -In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management -possibilities and in particular how to deploy tools like <tt class="filename">pam_smbpass.so</tt> to your advantage. -</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The use of Winbind requires more than PAM configuration alone. -Please refer to <link linkend="winbind">, for further information regarding Winbind. -</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958910"></a>Features and Benefits</h2></div></div><div></div></div><p> -A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, -now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the introduction of PAM, a decision -to use an alternative to the system password database (<tt class="filename">/etc/passwd</tt>) -would require the provision of alternatives for all programs that provide security services. -Such a choice would involve provision of alternatives to programs such as: <b class="command">login</b>, -<b class="command">passwd</b>, <b class="command">chown</b>, and so on. -</p><p> -PAM provides a mechanism that disconnects these security programs from the underlying -authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file -<tt class="filename">/etc/pam.conf</tt> (Solaris), or by editing individual control files that are -located in <tt class="filename">/etc/pam.d</tt>. -</p><p> -On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any -authentication backend so long as the appropriate dynamically loadable library modules -are available for it. The backend may be local to the system, or may be centralized on a -remote server. -</p><p> -PAM support modules are available for: -</p><div class="variablelist"><dl><dt><span class="term"><tt class="filename">/etc/passwd</tt></span></dt><dd><p> - There are several PAM modules that interact with this standard UNIX user - database. The most common are called: <tt class="filename">pam_unix.so</tt>, <tt class="filename">pam_unix2.so</tt>, <tt class="filename">pam_pwdb.so</tt> - and <tt class="filename">pam_userdb.so</tt>. - </p></dd><dt><span class="term">Kerberos</span></dt><dd><p> - The <tt class="filename">pam_krb5.so</tt> module allows the use of any Kerberos compliant server. - This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially - Microsoft Active Directory (if enabled). - </p></dd><dt><span class="term">LDAP</span></dt><dd><p> - The <tt class="filename">pam_ldap.so</tt> module allows the use of any LDAP v2 or v3 compatible backend - server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, - Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. - </p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p> - The <tt class="filename">pam_ncp_auth.so</tt> module allows authentication off any bindery-enabled - NetWare Core Protocol-based server. - </p></dd><dt><span class="term">SMB Password</span></dt><dd><p> - This module, called <tt class="filename">pam_smbpass.so</tt>, will allow user authentication off - the passdb backend that is configured in the Samba <tt class="filename">smb.conf</tt> file. - </p></dd><dt><span class="term">SMB Server</span></dt><dd><p> - The <tt class="filename">pam_smb_auth.so</tt> module is the original MS Windows networking authentication - tool. This module has been somewhat outdated by the Winbind module. - </p></dd><dt><span class="term">Winbind</span></dt><dd><p> - The <tt class="filename">pam_winbind.so</tt> module allows Samba to obtain authentication from any - MS Windows Domain Controller. It can just as easily be used to authenticate - users for access to any PAM-enabled application. - </p></dd><dt><span class="term">RADIUS</span></dt><dd><p> - There is a PAM RADIUS (Remote Access Dial-In User Service) authentication - module. In most cases, administrators will need to locate the source code - for this tool and compile and install it themselves. RADIUS protocols are - used by many routers and terminal servers. - </p></dd></dl></div><p> -Of the above, Samba provides the <tt class="filename">pam_smbpasswd.so</tt> and the <tt class="filename">pam_winbind.so</tt> modules alone. -</p><p> -Once configured, these permit a remarkable level of flexibility in the location and use -of distributed Samba Domain Controllers that can provide wide area network bandwidth -efficient authentication services for PAM-capable systems. In effect, this allows the -deployment of centrally managed and maintained distributed authentication from a -single-user account database. -</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2959235"></a>Technical Discussion</h2></div></div><div></div></div><p> -PAM is designed to provide the system administrator with a great deal of flexibility in -configuration of the privilege granting applications of their system. The local -configuration of system security controlled by PAM is contained in one of two places: -either the single system file, <tt class="filename">/etc/pam.conf</tt>, or the -<tt class="filename">/etc/pam.d/</tt> directory. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959266"></a>PAM Configuration Syntax</h3></div></div><div></div></div><p> -In this section we discuss the correct syntax of and generic options respected by entries to these files. -PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case -sensitive since they indicate a file's name and reflect the case -dependence of typical file systems. -The case-sensitivity of the arguments to any given module is defined for each module in turn. -</p><p> -In addition to the lines described below, there are two special characters provided for the convenience -of the system administrator: comments are preceded by a “<span class="quote">#</span>” and extend to the next end-of-line; also, -module specification lines may be extended with a “<span class="quote">\</span>” escaped newline. -</p><p> -If the PAM authentication module (loadable link library file) is located in the -default location, then it is not necessary to specify the path. In the case of -Linux, the default location is <tt class="filename">/lib/security</tt>. If the module -is located outside the default, then the path must be specified as: -</p><p> -</p><pre class="programlisting"> -auth required /other_path/pam_strange_module.so -</pre><p> -</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2959332"></a>Anatomy of <tt class="filename">/etc/pam.d</tt> Entries</h4></div></div><div></div></div><p> -The remaining information in this subsection was taken from the documentation of the Linux-PAM -project. For more information on PAM, see -<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The Official Linux-PAM home page.</ulink> -</p><p> -A general configuration line of the <tt class="filename">/etc/pam.conf</tt> file has the following form: -</p><p> -</p><pre class="programlisting"> -service-name module-type control-flag module-path args -</pre><p> -</p><p> -Below, we explain the meaning of each of these tokens. The second (and more recently adopted) -way of configuring Linux-PAM is via the contents of the <tt class="filename">/etc/pam.d/</tt> directory. -Once we have explained the meaning of the above tokens, we will describe this method. -</p><div class="variablelist"><dl><dt><span class="term">service-name</span></dt><dd><p> - The name of the service associated with this entry. Frequently, the service name is the conventional - name of the given application. For example, <b class="command">ftpd</b>, <b class="command">rlogind</b> and - <b class="command">su</b>, and so on. - </p><p> - There is a special service-name reserved for defining a default authentication mechanism. It has - the name <i class="parameter"><tt>OTHER</tt></i> and may be specified in either lower- or upper-case characters. - Note, when there is a module specified for a named service, the <i class="parameter"><tt>OTHER</tt></i> - entries are ignored. - </p></dd><dt><span class="term">module-type</span></dt><dd><p> - One of (currently) four types of module. The four types are as follows: - </p><div class="itemizedlist"><ul type="disc"><li><p> - <i class="parameter"><tt>auth:</tt></i> This module type provides two aspects of authenticating the user. - It establishes that the user is who he claims to be by instructing the application - to prompt the user for a password or other means of identification. Secondly, the module can - grant group membership (independently of the <tt class="filename">/etc/groups</tt> file discussed - above) or other privileges through its credential granting properties. - </p></li><li><p> - <i class="parameter"><tt>account:</tt></i> This module performs non-authentication-based account management. - It is typically used to restrict/permit access to a service based on the time of day, currently - available system resources (maximum number of users) or perhaps the location of the applicant - user “<span class="quote">root</span>” login only on the console. - </p></li><li><p> - <i class="parameter"><tt>session:</tt></i> Primarily, this module is associated with doing things that need - to be done for the user before and after they can be given service. Such things include the logging - of information concerning the opening and closing of some data exchange with a user, mounting - directories, and so on. - </p></li><li><p> - <i class="parameter"><tt>password:</tt></i> This last module type is required for updating the authentication - token associated with the user. Typically, there is one module for each “<span class="quote">challenge/response</span>” - -based authentication <i class="parameter"><tt>(auth)</tt></i> module type. - </p></li></ul></div></dd><dt><span class="term">control-flag</span></dt><dd><p> - The control-flag is used to indicate how the PAM library will react to the success or failure of the - module it is associated with. Since modules can be stacked (modules of the same type execute in series, - one after another), the control-flags determine the relative importance of each module. The application - is not made aware of the individual success or failure of modules listed in the - <tt class="filename">/etc/pam.conf</tt> file. Instead, it receives a summary success or fail response from - the Linux-PAM library. The order of execution of these modules is that of the entries in the - <tt class="filename">/etc/pam.conf</tt> file; earlier entries are executed before later ones. - As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. - </p><p> - The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the - severity of concern associated with the success or failure of a specific module. There are four such - keywords: <i class="parameter"><tt>required, requisite, sufficient and optional</tt></i>. - </p><p> - The Linux-PAM library interprets these keywords in the following manner: - </p><div class="itemizedlist"><ul type="disc"><li><p> - <i class="parameter"><tt>required:</tt></i> This indicates that the success of the module is required for the - module-type facility to succeed. Failure of this module will not be apparent to the user until all - of the remaining modules (of the same module-type) have been executed. - </p></li><li><p> - <i class="parameter"><tt>requisite:</tt></i> Like required, however, in the case that such a module returns a - failure, control is directly returned to the application. The return value is that associated with - the first required or requisite module to fail. This flag can be used to protect against the - possibility of a user getting the opportunity to enter a password over an unsafe medium. It is - conceivable that such behavior might inform an attacker of valid accounts on a system. This - possibility should be weighed against the not insignificant concerns of exposing a sensitive - password in a hostile environment. - </p></li><li><p> - <i class="parameter"><tt>sufficient:</tt></i> The success of this module is deemed <i class="parameter"><tt>sufficient</tt></i> to satisfy - the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no - previous required module has failed, no more “<span class="quote">stacked</span>” modules of this type are invoked. - (In this case, subsequent required modules are not invoked). A failure of this module is not deemed - as fatal to satisfying the application that this module-type has succeeded. - </p></li><li><p> - <i class="parameter"><tt>optional:</tt></i> As its name suggests, this control-flag marks the module as not - being critical to the success or failure of the user's application for service. In general, - Linux-PAM ignores such a module when determining if the module stack will succeed or fail. - However, in the absence of any definite successes or failures of previous or subsequent stacked - modules, this module will determine the nature of the response to the application. One example of - this latter case, is when the other modules return something like PAM_IGNORE. - </p></li></ul></div><p> - The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control - over how the user is authenticated. This form of the control flag is delimited with square brackets and - consists of a series of <i class="parameter"><tt>value=action</tt></i> tokens: - </p><pre class="programlisting"> -[value1=action1 value2=action2 ...] -</pre><p> - Here, <i class="parameter"><tt>value1</tt></i> is one of the following return values: -</p><pre class="screen"> -<i class="parameter"><tt>success; open_err; symbol_err; service_err; system_err; buf_err;</tt></i> -<i class="parameter"><tt>perm_denied; auth_err; cred_insufficient; authinfo_unavail;</tt></i> -<i class="parameter"><tt>user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err;</tt></i> -<i class="parameter"><tt>cred_unavail; cred_expired; cred_err; no_module_data; conv_err;</tt></i> -<i class="parameter"><tt>authtok_err; authtok_recover_err; authtok_lock_busy;</tt></i> -<i class="parameter"><tt>authtok_disable_aging; try_again; ignore; abort; authtok_expired;</tt></i> -<i class="parameter"><tt>module_unknown; bad_item;</tt></i> and <i class="parameter"><tt>default</tt></i>. -</pre><p> -</p><p> - The last of these <i class="parameter"><tt>(default)</tt></i> can be used to set the action for those return values that are not explicitly defined. - </p><p> - The <i class="parameter"><tt>action1</tt></i> can be a positive integer or one of the following tokens: - <i class="parameter"><tt>ignore; ok; done; bad; die;</tt></i> and <i class="parameter"><tt>reset</tt></i>. - A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the - current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated - stack of modules with a number of different paths of execution. Which path is taken can be determined by the - reactions of individual modules. - </p><div class="itemizedlist"><ul type="disc"><li><p> - <i class="parameter"><tt>ignore:</tt></i> When used with a stack of modules, the module's return status will not - contribute to the return code the application obtains. - </p></li><li><p> - <i class="parameter"><tt>bad:</tt></i> This action indicates that the return code should be thought of as indicative - of the module failing. If this module is the first in the stack to fail, its status value will be used - for that of the whole stack. - </p></li><li><p> - <i class="parameter"><tt>die:</tt></i> Equivalent to bad with the side effect of terminating the module stack and - PAM immediately returning to the application. - </p></li><li><p> - <i class="parameter"><tt>ok:</tt></i> This tells PAM that the administrator thinks this return code should - contribute directly to the return code of the full stack of modules. In other words, if the former - state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override - this value. Note, if the former state of the stack holds some value that is indicative of a modules - failure, this <i class="parameter"><tt>ok</tt></i> value will not be used to override that value. - </p></li><li><p> - <i class="parameter"><tt>done:</tt></i> Equivalent to <i class="parameter"><tt>ok</tt></i> with the side effect of terminating the module stack and - PAM immediately returning to the application. - </p></li><li><p> - <i class="parameter"><tt>reset:</tt></i> Clears all memory of the state of the module stack and starts again with - the next stacked module. - </p></li></ul></div><p> - Each of the four keywords: <i class="parameter"><tt>required; requisite; sufficient;</tt></i> and <i class="parameter"><tt>optional</tt></i>, - have an equivalent expression in terms of the [...] syntax. They are as follows: - </p><p> - </p><div class="itemizedlist"><ul type="disc"><li><p> - <i class="parameter"><tt>required</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok ignore=ignore default=bad]</tt></i>. - </p></li><li><p> - <i class="parameter"><tt>requisite</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok ignore=ignore default=die]</tt></i>. - </p></li><li><p> - <i class="parameter"><tt>sufficient</tt></i> is equivalent to <i class="parameter"><tt>[success=done new_authtok_reqd=done default=ignore]</tt></i>. - </p></li><li><p> - <i class="parameter"><tt>optional</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok default=ignore]</tt></i>. - </p></li></ul></div><p> - </p><p> - Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, - the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support - machine-machine authentication using the transport protocol inherent to the client/server application. With the - <i class="parameter"><tt>[ ... value=action ... ]</tt></i> control syntax, it is possible for an application to be configured - to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication - mode for older, legacy applications. - </p></dd><dt><span class="term">module-path</span></dt><dd><p> - The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the - module path is “<span class="quote">/</span>”, it is assumed to be a complete path. If this is not the case, the given module path is appended - to the default module path: <tt class="filename">/lib/security</tt> (but see the notes above). - </p><p> - The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical - Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments - are ignored by a module, however, when encountering an invalid argument, the module is required to write an error - to syslog(3). For a list of generic options, see the next section. - </p><p> - If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: - </p><pre class="programlisting"> -squid auth required pam_mysql.so user=passwd_query passwd=mada \ -db=eminence [query=select user_name from internet_service where \ -user_name=“<span class="quote">%u</span>” and password=PASSWORD(“<span class="quote">%p</span>”) and service=“<span class="quote">web_proxy</span>”] -</pre><p> - When using this convention, you can include “<span class="quote">[</span>” characters inside the string, and if you wish to have a “<span class="quote">]</span>” - character inside the string that will survive the argument parsing, you should use “<span class="quote">\[</span>”. In other words: - </p><pre class="programlisting"> -[..[..\]..] --> ..[..].. -</pre><p> - Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the - side of caution) to make the authentication process fail. A corresponding error is written to the system log files - with a call to syslog(3). - </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960262"></a>Example System Configurations</h3></div></div><div></div></div><p> -The following is an example <tt class="filename">/etc/pam.d/login</tt> configuration file. -This example had all options uncommented and is probably not usable -because it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out, except the calls to <tt class="filename">pam_pwdb.so</tt>. -</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2960294"></a>PAM: Original Login Config</h4></div></div><div></div></div><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the “<span class="quote">login</span>” service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5 -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2960324"></a>PAM: Login Using <tt class="filename">pam_smbpass</tt></h4></div></div><div></div></div><p> -PAM allows use of replaceable modules. Those available on a sample system include: -</p><p><tt class="prompt">$</tt><b class="userinput"><tt>/bin/ls /lib/security</tt></b> -</p><pre class="programlisting"> -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_UNIX.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_UNIX_acct.so -pam_wheel.so pam_UNIX_auth.so pam_UNIX_passwd.so -pam_userdb.so pam_warn.so pam_UNIX_session.so -</pre><p> -The following example for the login program replaces the use of -the <tt class="filename">pam_pwdb.so</tt> module that uses the system -password database (<tt class="filename">/etc/passwd</tt>, -<tt class="filename">/etc/shadow</tt>, <tt class="filename">/etc/group</tt>) with -the module <tt class="filename">pam_smbpass.so</tt>, which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -<tt class="filename">/usr/local/samba/private/smbpasswd</tt>, -<tt class="filename">/etc/samba/smbpasswd</tt>, or in -<tt class="filename">/etc/samba.d/smbpasswd</tt>, depending on the -Samba implementation for your UNIX/Linux system. The -<tt class="filename">pam_smbpass.so</tt> module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the -<tt class="option">--with-pam_smbpass</tt> options when running Samba's -<b class="command">configure</b> script. For more information -on the <tt class="filename">pam_smbpass</tt> module, see the documentation -in the <tt class="filename">source/pam_smbpass</tt> directory of the Samba -source distribution. -</p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the “<span class="quote">login</span>” service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay -</pre><p> -The following is the PAM configuration file for a particular -Linux system. The default condition uses <tt class="filename">pam_pwdb.so</tt>. -</p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the “<span class="quote">samba</span>” service -# -auth required pam_pwdb.so nullok nodelay shadow audit -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_pwdb.so shadow md5 -</pre><p> -In the following example, the decision has been made to use the -<b class="command">smbpasswd</b> database even for basic Samba authentication. Such a -decision could also be made for the <b class="command">passwd</b> program and would -thus allow the <b class="command">smbpasswd</b> passwords to be changed using the -<b class="command">passwd</b> program: -</p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the “<span class="quote">samba</span>” service -# -auth required pam_smbpass.so nodelay -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf -</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within one PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implementations also -provide the <tt class="filename">pam_stack.so</tt> module that allows all -authentication to be configured in a single central file. The -<tt class="filename">pam_stack.so</tt> method has some devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want to examine the -PAM documentation for further helpful information. -</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960612"></a><tt class="filename">smb.conf</tt> PAM Configuration</h3></div></div><div></div></div><p> - There is an option in <tt class="filename">smb.conf</tt> called <a class="indexterm" name="id2960633"></a><i class="parameter"><tt>obey pam restrictions</tt></i>. -The following is from the online help for this option in SWAT; -</p><p> -When Samba is configured to enable PAM support (i.e., <tt class="option">--with-pam</tt>), this parameter will -control whether or not Samba should obey PAM's account and session management directives. The default behavior -is to use PAM for cleartext authentication only and to ignore any account or session management. Samba always -ignores PAM for authentication in the case of <a class="indexterm" name="id2960663"></a><i class="parameter"><tt>encrypt passwords</tt></i> = yes. -The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB -password encryption. -</p><p>Default: <a class="indexterm" name="id2960684"></a><i class="parameter"><tt>obey pam restrictions</tt></i> = no</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960701"></a>Remote CIFS Authentication Using <tt class="filename">winbindd.so</tt></h3></div></div><div></div></div><p> -All operating systems depend on the provision of users credentials acceptable to the platform. -UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). -These are both simple integer type numbers that are obtained from a password backend such -as <tt class="filename">/etc/passwd</tt>. -</p><p> -Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for -the domain when the user or group is created. To convert the Windows NT user or group into -a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This -is one of the jobs that winbind performs. -</p><p> -As Winbind users and groups are resolved from a server, user and group IDs are allocated -from a specified range. This is done on a first come, first served basis, although all -existing users and groups will be mapped as soon as a client performs a user or group -enumeration command. The allocated UNIX IDs are stored in a database file under the Samba -lock directory and will be remembered. -</p><p> -The astute administrator will realize from this that the combination of <tt class="filename">pam_smbpass.so</tt>, -<b class="command">winbindd</b> and a distributed <a class="indexterm" name="id2960770"></a><i class="parameter"><tt>passdb backend</tt></i>, -such as <i class="parameter"><tt>ldap</tt></i>, will allow the establishment of a centrally managed, distributed user/password -database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have -particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as -the reduction of wide area network authentication traffic. -</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -The RID to UNIX ID database is the only location where the user and group mappings are -stored by <b class="command">winbindd</b>. If this file is deleted or corrupted, there is no way for <b class="command">winbindd</b> -to determine which user and group IDs correspond to Windows NT user and group RIDs. -</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960824"></a>Password Synchronization Using <tt class="filename">pam_smbpass.so</tt></h3></div></div><div></div></div><p> -<tt class="filename">pam_smbpass</tt> is a PAM module that can be used on conforming systems to -keep the <tt class="filename">smbpasswd</tt> (Samba password) database in sync with the UNIX -password file. PAM (Pluggable Authentication Modules) is an API supported -under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a -generic interface to authentication mechanisms. -</p><p> -This module authenticates a local <tt class="filename">smbpasswd</tt> user database. If you require -support for authenticating against a remote SMB server, or if you are -concerned about the presence of SUID root binaries on your system, it is -recommended that you use <tt class="filename">pam_winbind</tt> instead. -</p><p> -Options recognized by this module are shown in <link linkend="smbpassoptions">. -</p><div class="table"><a name="smbpassoptions"></a><p class="title"><b>Table 25.1. Options recognized by <i class="parameter"><tt>pam_smbpass</tt></i></b></p><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">debug</td><td align="justify">log more debugging info.</td></tr><tr><td align="left">audit</td><td align="justify">like debug, but also logs unknown usernames.</td></tr><tr><td align="left">use_first_pass</td><td align="justify">do not prompt the user for passwords; take them from PAM_ items instead.</td></tr><tr><td align="left">try_first_pass</td><td align="justify">try to get the password from a previous PAM module fall back to prompting the user.</td></tr><tr><td align="left">use_authtok</td><td align="justify">like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</td></tr><tr><td align="left">not_set_pass</td><td align="justify">do not make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="justify">do not insert ~1 second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="justify">null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="justify">null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="justify">only meaningful in an “<span class="quote">auth</span>” context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<i class="replaceable"><tt>file</tt></i></td><td align="justify">specify an alternate path to the <tt class="filename">smb.conf</tt> file.</td></tr></tbody></table></div><p> -</p><p> -The following are examples of the use of <tt class="filename">pam_smbpass.so</tt> in the format of Linux -<tt class="filename">/etc/pam.d/</tt> files structure. Those wishing to implement this -tool on other platforms will need to adapt this appropriately. -</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961083"></a>Password Synchronization Configuration</h4></div></div><div></div></div><p> -A sample PAM configuration that shows the use of pam_smbpass to make -sure <tt class="filename">private/smbpasswd</tt> is kept in sync when <tt class="filename">/etc/passwd (/etc/shadow)</tt> -is changed. Useful when an expired password might be changed by an -application (such as <b class="command">ssh</b>). -</p><pre class="programlisting"> -#%PAM-1.0 -# password-sync -# -auth requisite pam_nologin.so -auth required pam_UNIX.so -account required pam_UNIX.so -password requisite pam_cracklib.so retry=3 -password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so nullok use_authtok try_first_pass -session required pam_UNIX.so -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961136"></a>Password Migration Configuration</h4></div></div><div></div></div><p> -A sample PAM configuration that shows the use of <tt class="filename">pam_smbpass</tt> to migrate -from plaintext to encrypted passwords for Samba. Unlike other methods, -this can be used for users who have never connected to Samba shares: -password migration takes place when users <b class="command">ftp</b> in, login using <b class="command">ssh</b>, pop -their mail, and so on. -</p><pre class="programlisting"> -#%PAM-1.0 -# password-migration -# -auth requisite pam_nologin.so -# pam_smbpass is called IF pam_UNIX succeeds. -auth requisite pam_UNIX.so -auth optional pam_smbpass.so migrate -account required pam_UNIX.so -password requisite pam_cracklib.so retry=3 -password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass -password optional pam_smbpass.so nullok use_authtok try_first_pass -session required pam_UNIX.so -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961191"></a>Mature Password Configuration</h4></div></div><div></div></div><p> -A sample PAM configuration for a mature <tt class="filename">smbpasswd</tt> installation. -<tt class="filename">private/smbpasswd</tt> is fully populated, and we consider it an error if -the SMB password does not exist or does not match the UNIX password. -</p><pre class="programlisting"> -#%PAM-1.0 -# password-mature -# -auth requisite pam_nologin.so -auth required pam_UNIX.so -account required pam_UNIX.so -password requisite pam_cracklib.so retry=3 -password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so use_authtok use_first_pass -session required pam_UNIX.so -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961236"></a>Kerberos Password Integration Configuration</h4></div></div><div></div></div><p> -A sample PAM configuration that shows <i class="parameter"><tt>pam_smbpass</tt></i> used together with -<i class="parameter"><tt>pam_krb5</tt></i>. This could be useful on a Samba PDC that is also a member of -a Kerberos realm. -</p><pre class="programlisting"> -#%PAM-1.0 -# kdc-pdc -# -auth requisite pam_nologin.so -auth requisite pam_krb5.so -auth optional pam_smbpass.so migrate -account required pam_krb5.so -password requisite pam_cracklib.so retry=3 -password optional pam_smbpass.so nullok use_authtok try_first_pass -password required pam_krb5.so use_authtok try_first_pass -session required pam_krb5.so -</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961283"></a>Common Errors</h2></div></div><div></div></div><p> -PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from -the Samba mailing list. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961296"></a>pam_winbind Problem</h3></div></div><div></div></div><p> - A user reported: I have the following PAM configuration: - </p><p> -</p><pre class="programlisting"> -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_UNIX.so use_first_pass nullok -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so -password required /lib/security/pam_stack.so service=system-auth -</pre><p> -</p><p> - When I open a new console with [ctrl][alt][F1], I can't log in with my user “<span class="quote">pitie</span>”. - I have tried with user “<span class="quote">scienceu+pitie</span>” also. - </p><p> - <span class="emphasis"><em>Answer:</em></span> The problem may lie with your inclusion of <i class="parameter"><tt>pam_stack.so - service=system-auth</tt></i>. That file often contains a lot of stuff that may - duplicate what you are already doing. Try commenting out the <i class="parameter"><tt>pam_stack</tt></i> lines - for <i class="parameter"><tt>auth</tt></i> and <i class="parameter"><tt>account</tt></i> and see if things work. If they do, look at - <tt class="filename">/etc/pam.d/system-auth</tt> and copy only what you need from it into your - <tt class="filename">/etc/pam.d/login</tt> file. Alternately, if you want all services to use - Winbind, you can put the Winbind-specific stuff in <tt class="filename">/etc/pam.d/system-auth</tt>. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961406"></a>Winbind Is Not Resolving Users and Groups</h3></div></div><div></div></div><p> - “<span class="quote"> - My <tt class="filename">smb.conf</tt> file is correctly configured. I have specified - <a class="indexterm" name="id2961428"></a><i class="parameter"><tt>idmap uid</tt></i> = 12000, - and <a class="indexterm" name="id2961442"></a><i class="parameter"><tt>idmap gid</tt></i> = 3000-3500 - and <b class="command">winbind</b> is running. When I do the following it all works fine. - </span>” - </p><pre class="screen"> -<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -u</tt></b> -MIDEARTH+maryo -MIDEARTH+jackb -MIDEARTH+ameds -... -MIDEARTH+root - -<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -g</tt></b> -MIDEARTH+Domain Users -MIDEARTH+Domain Admins -MIDEARTH+Domain Guests -... -MIDEARTH+Accounts - -<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b> -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -... -maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false -</pre><p> - “<span class="quote"> - But this command fails: - </span>” -</p><pre class="screen"> -<tt class="prompt">root# </tt><b class="userinput"><tt>chown maryo a_file</tt></b> -chown: 'maryo': invalid user -</pre><p> - “<span class="quote">This is driving me nuts! What can be wrong?</span>” - </p><p> - <span class="emphasis"><em>Answer:</em></span> Your system is likely running <b class="command">nscd</b>, the name service - caching daemon. Shut it down, do not restart it! You will find your problem resolved. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 24. Desktop Profile Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 26. Integrating MS Windows Networks with Samba</td></tr></table></div></body></html> |