From 42e899cf10249844361c35a495eda861b6d246b3 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 29 May 2003 07:11:59 +0000 Subject: A few little edits - more updating ahead. It will get to be close enough some time! (This used to be commit f2b6d94a7fdc9d77bd37c17b127715cad92ed957) --- .../projdoc/PAM-Authentication-And-Samba.xml | 336 ++++++++++++++------- 1 file changed, 231 insertions(+), 105 deletions(-) diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml index 3b50511747..ef1496c7a6 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.xml @@ -1,19 +1,27 @@ + &author.jht; StephenLangasek
vorlon@netexpress.net
- &author.jht; (Jun 21 2001)
-PAM Configuration for Centrally Managed Authentication +PAM based Distributed Authentication + + +This chapter you should help you to deploy winbind based authentication on any PAM enabled +Unix/Linux system. Winbind can be used to enable user level application access authentication +from any MS Windows NT Domain, MS Windows 200x Active Directory based domain, or any Samba +based domain environment. It will also help you to configure PAM based local host access +controls that are appropriate to your Samba configuration. + -Samba and PAM +Features and Benefits A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, @@ -32,18 +40,136 @@ authentication/authorization infrastructure. PAM is configured either through o located in /etc/pam.d. - - - If the PAM authentication module (loadable link library file) is located in the - default location then it is not necessary to specify the path. In the case of - Linux, the default location is /lib/security. If the module - is located outside the default then the path must be specified as: - - - auth required /other_path/pam_strange_module.so - - - + +On PAM enabled Unix/Linux systems it is an easy matter to configure the system to use any +authentication backend, so long as the appropriate dynamically loadable library modules +are available for it. The backend may be local to the system, or may be centralised on a +remote server. + + + +PAM support modules are available for: + + + + /etc/passwd- + + There are several PAM modules that interact with this standard Unix user + database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so + and pam_userdb.so. + + + + Kerberos- + + The pam_krb5.so module allows the use of any Kerberos compliant server. + This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially + Microsoft Active Directory (if enabled). + + + + LDAP- + + The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend + server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, + Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. + + + + NetWare Bindery- + + The pam_ncp_auth.so module allows authentication off any bindery enabled + NetWare Core Protocol based server. + + + + SMB Password- + + This module, called pam_smbpass.so, will allow user authentication off + the passdb backend that is configured in the Samba &smb.conf; file. + + + + SMB Server- + + The pam_smb_auth.so module is the original MS Windows networking authentication + tool. This module has been somewhat outdated by the Winbind module. + + + + Winbind- + + The pam_winbind.so module allows Samba to obtain authentication from any + MS Windows Domain Controller. It can just as easily be used to authenticate + users for access to any PAM enabled application. + + + + RADIUS- + + There is a PAM RADIUS (Remote Access Dial-In User Service) authentication + module. In most cases the administrator will need to locate the source code + for this tool and compile and install it themselves. RADIUS protocols are + used by many routers and terminal servers. + + + + + +Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone. + + + +Once configured, these permit a remarkable level of flexibility in the location and use +of distributed samba domain controllers that can provide wide are network bandwidth +efficient authentication services for PAM capable systems. In effect, this allows the +deployment of centrally managed and maintained distributed authentication from a single +user account database. + + + + + +Technical Discussion + + +All operating systems depend on the authentication sub-systems to provide for authenticated users +credentials accecptable to the platform. Unix requires the provision of a user identifier (UID) +as well as a group identifier (GID). These are both simple integer type numbers that are obtained +from a password backend such as /etc/passwd. + + + +Users and groups on a Windows NT server are assigned a relative id (rid) which is unique for +the domain when the user or group is created. To convert the Windows NT user or group into +a unix user or group, a mapping between rids and unix user and group ids is required. This +is one of the jobs that winbind performs. + + + +As winbind users and groups are resolved from a server, user and group ids are allocated +from a specified range. This is done on a first come, first served basis, although all +existing users and groups will be mapped as soon as a client performs a user or group +enumeration command. The allocated unix ids are stored in a database file under the Samba +lock directory and will be remembered. + + + +The rid to unix id database is the only location where the user and group mappings are +stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd +to determine which user and group ids correspond to Windows NT user and group rids. + + + +If the PAM authentication module (loadable link library file) is located in the +default location then it is not necessary to specify the path. In the case of +Linux, the default location is /lib/security. If the module +is located outside the default then the path must be specified as: + + +auth required /other_path/pam_strange_module.so + + The following is an example /etc/pam.d/login configuration file. @@ -54,20 +180,20 @@ by commenting them out except the calls to pam_pwdb.so. - #%PAM-1.0 - # The PAM configuration file for the `login' service - # - auth required pam_securetty.so - auth required pam_nologin.so - # auth required pam_dialup.so - # auth optional pam_mail.so - auth required pam_pwdb.so shadow md5 - # account requisite pam_time.so - account required pam_pwdb.so - session required pam_pwdb.so - # session optional pam_lastlog.so - # password required pam_cracklib.so retry=3 - password required pam_pwdb.so shadow md5 +#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5 @@ -76,18 +202,18 @@ PAM allows use of replacable modules. Those available on a sample system include $/bin/ls /lib/security - pam_access.so pam_ftp.so pam_limits.so - pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so - pam_cracklib.so pam_group.so pam_listfile.so - pam_nologin.so pam_rootok.so pam_tally.so - pam_deny.so pam_issue.so pam_mail.so - pam_permit.so pam_securetty.so pam_time.so - pam_dialup.so pam_lastlog.so pam_mkhomedir.so - pam_pwdb.so pam_shells.so pam_unix.so - pam_env.so pam_ldap.so pam_motd.so - pam_radius.so pam_smbpass.so pam_unix_acct.so - pam_wheel.so pam_unix_auth.so pam_unix_passwd.so - pam_userdb.so pam_warn.so pam_unix_session.so +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so @@ -112,13 +238,13 @@ source distribution. - #%PAM-1.0 - # The PAM configuration file for the `login' service - # - auth required pam_smbpass.so nodelay - account required pam_smbpass.so nodelay - session required pam_smbpass.so nodelay - password required pam_smbpass.so nodelay +#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay @@ -127,13 +253,13 @@ Linux system. The default condition uses pam_pwdb.so. - #%PAM-1.0 - # The PAM configuration file for the `samba' service - # - auth required pam_pwdb.so nullok nodelay shadow audit - account required pam_pwdb.so audit nodelay - session required pam_pwdb.so nodelay - password required pam_pwdb.so shadow md5 +#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required pam_pwdb.so nullok nodelay shadow audit +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_pwdb.so shadow md5 @@ -145,13 +271,13 @@ program. - #%PAM-1.0 - # The PAM configuration file for the `samba' service - # - auth required pam_smbpass.so nodelay - account required pam_pwdb.so audit nodelay - session required pam_pwdb.so nodelay - password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf +#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required pam_smbpass.so nodelay +account required pam_pwdb.so audit nodelay +session required pam_pwdb.so nodelay +password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf PAM allows stacking of authentication mechanisms. It is @@ -270,16 +396,16 @@ application (such as ssh). - #%PAM-1.0 - # password-sync - # - auth requisite pam_nologin.so - auth required pam_unix.so - account required pam_unix.so - password requisite pam_cracklib.so retry=3 - password requisite pam_unix.so shadow md5 use_authtok try_first_pass - password required pam_smbpass.so nullok use_authtok try_first_pass - session required pam_unix.so +#%PAM-1.0 +# password-sync +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so @@ -295,18 +421,18 @@ their mail, etc. - #%PAM-1.0 - # password-migration - # - auth requisite pam_nologin.so - # pam_smbpass is called IFF pam_unix succeeds. - auth requisite pam_unix.so - auth optional pam_smbpass.so migrate - account required pam_unix.so - password requisite pam_cracklib.so retry=3 - password requisite pam_unix.so shadow md5 use_authtok try_first_pass - password optional pam_smbpass.so nullok use_authtok try_first_pass - session required pam_unix.so +#%PAM-1.0 +# password-migration +# +auth requisite pam_nologin.so +# pam_smbpass is called IF pam_unix succeeds. +auth requisite pam_unix.so +auth optional pam_smbpass.so migrate +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password optional pam_smbpass.so nullok use_authtok try_first_pass +session required pam_unix.so @@ -320,16 +446,16 @@ the smbpasswd doesn't exist or doesn't match the Unix password. - #%PAM-1.0 - # password-mature - # - auth requisite pam_nologin.so - auth required pam_unix.so - account required pam_unix.so - password requisite pam_cracklib.so retry=3 - password requisite pam_unix.so shadow md5 use_authtok try_first_pass - password required pam_smbpass.so use_authtok use_first_pass - session required pam_unix.so +#%PAM-1.0 +# password-mature +# +auth requisite pam_nologin.so +auth required pam_unix.so +account required pam_unix.so +password requisite pam_cracklib.so retry=3 +password requisite pam_unix.so shadow md5 use_authtok try_first_pass +password required pam_smbpass.so use_authtok use_first_pass +session required pam_unix.so @@ -343,17 +469,17 @@ a Kerberos realm. - #%PAM-1.0 - # kdc-pdc - # - auth requisite pam_nologin.so - auth requisite pam_krb5.so - auth optional pam_smbpass.so migrate - account required pam_krb5.so - password requisite pam_cracklib.so retry=3 - password optional pam_smbpass.so nullok use_authtok try_first_pass - password required pam_krb5.so use_authtok try_first_pass - session required pam_krb5.so +#%PAM-1.0 +# kdc-pdc +# +auth requisite pam_nologin.so +auth requisite pam_krb5.so +auth optional pam_smbpass.so migrate +account required pam_krb5.so +password requisite pam_cracklib.so retry=3 +password optional pam_smbpass.so nullok use_authtok try_first_pass +password required pam_krb5.so use_authtok try_first_pass +session required pam_krb5.so -- cgit