From 55abd936a838a4410899db76cb5530b0c4694dc9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 10 Oct 2001 17:19:10 +0000 Subject: mega-merge from 2.2 (This used to be commit c76bf8ed3275e217d1b691879153fe9137bcbe38) --- .../projdoc/PAM-Authentication-And-Samba.sgml | 212 +++++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml (limited to 'docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml') diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml new file mode 100644 index 0000000000..6c866acecd --- /dev/null +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -0,0 +1,212 @@ + + + + + + JohnTerpstra + + Samba Team +
+ jht@samba.org +
+ + + + + (Jun 21 2001) + + +Configuring PAM for distributed but centrally +managed authentication + + +Samba and PAM + + +A number of Unix systems (eg: Sun Solaris), as well as the +xxxxBSD family and Linux, now utilize the Pluggable Authentication +Modules (PAM) facility to provide all authentication, +authorization and resource control services. Prior to the +introduction of PAM, a decision to use an alternative to +the system password database (/etc/passwd) +would require the provision of alternatives for all programs that provide +security services. Such a choice would involve provision of +alternatives to such programs as: login, +passwd, chown, etc. + + + +PAM provides a mechanism that disconnects these security programs +from the underlying authentication/authorization infrastructure. +PAM is configured either through one file /etc/pam.conf (Solaris), +or by editing individual files that are located in /etc/pam.d. + + + +The following is an example /etc/pam.d/login configuration file. +This example had all options been uncommented is probably not usable +as it stacks many conditions before allowing successful completion +of the login process. Essentially all conditions can be disabled +by commenting them out except the calls to pam_pwdb.so. + + + +#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_securetty.so +auth required pam_nologin.so +# auth required pam_dialup.so +# auth optional pam_mail.so +auth required pam_pwdb.so shadow md5 +# account requisite pam_time.so +account required pam_pwdb.so +session required pam_pwdb.so +# session optional pam_lastlog.so +# password required pam_cracklib.so retry=3 +password required pam_pwdb.so shadow md5 + + + +PAM allows use of replacable modules. Those available on a +sample system include: + + + +$ /bin/ls /lib/security +pam_access.so pam_ftp.so pam_limits.so +pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so +pam_cracklib.so pam_group.so pam_listfile.so +pam_nologin.so pam_rootok.so pam_tally.so +pam_deny.so pam_issue.so pam_mail.so +pam_permit.so pam_securetty.so pam_time.so +pam_dialup.so pam_lastlog.so pam_mkhomedir.so +pam_pwdb.so pam_shells.so pam_unix.so +pam_env.so pam_ldap.so pam_motd.so +pam_radius.so pam_smbpass.so pam_unix_acct.so +pam_wheel.so pam_unix_auth.so pam_unix_passwd.so +pam_userdb.so pam_warn.so pam_unix_session.so + + + +The following example for the login program replaces the use of +the pam_pwdb.so module which uses the system +password database (/etc/passwd, +/etc/shadow, /etc/group) with +the module pam_smbpass.so which uses the Samba +database which contains the Microsoft MD4 encrypted password +hashes. This database is stored in either +/usr/local/samba/private/smbpasswd, +/etc/samba/smbpasswd, or in +/etc/samba.d/smbpasswd, depending on the +Samba implementation for your Unix/Linux system. The +pam_smbpass.so module is provided by +Samba version 2.2.1 or later. It can be compiled only if the +--with-pam --with-pam_smbpass options are both +provided to the Samba configure program. + + + +#%PAM-1.0 +# The PAM configuration file for the `login' service +# +auth required pam_smbpass.so nodelay +account required pam_smbpass.so nodelay +session required pam_smbpass.so nodelay +password required pam_smbpass.so nodelay + + + +The following is the PAM configuration file for a particular +Linux system. The default condition uses pam_pwdb.so. + + + +#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit +account required /lib/security/pam_pwdb.so audit nodelay +session required /lib/security/pam_pwdb.so nodelay +password required /lib/security/pam_pwdb.so shadow md5 + + + +In the following example the decision has been made to use the +smbpasswd database even for basic samba authentication. Such a +decision could also be made for the passwd program and would +thus allow the smbpasswd passwords to be changed using the passwd +program. + + + +#%PAM-1.0 +# The PAM configuration file for the `samba' service +# +auth required /lib/security/pam_smbpass.so nodelay +account required /lib/security/pam_pwdb.so audit nodelay +session required /lib/security/pam_pwdb.so nodelay +password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf + + + +Note: PAM allows stacking of authentication mechanisms. It is +also possible to pass information obtained within on PAM module through +to the next module in the PAM stack. Please refer to the documentation for +your particular system implementation for details regarding the specific +capabilities of PAM in this environment. Some Linux implmentations also +provide the pam_stack.so module that allows all +authentication to be configured in a single central file. The +pam_stack.so method has some very devoted followers +on the basis that it allows for easier administration. As with all issues in +life though, every decision makes trade-offs, so you may want examine the +PAM documentation for further helpful information. + + + + + +Distributed Authentication + + +The astute administrator will realize from this that the +combination of pam_smbpass.so, +winbindd, and rsync (see +http://rsync.samba.org/) +will allow the establishment of a centrally managed, distributed +user/password database that can also be used by all +PAM (eg: Linux) aware programs and applications. This arrangement +can have particularly potent advantages compared with the +use of Microsoft Active Directory Service (ADS) in so far as +reduction of wide area network authentication traffic. + + + + + +PAM Configuration in smb.conf + + +There is an option in smb.conf called obey pam restrictions. +The following is from the on-line help for this option in SWAT; + + + +When Samba 2.2 is configure to enable PAM support (i.e. +--with-pam), this parameter will +control whether or not Samba should obey PAM's account +and session management directives. The default behavior +is to use PAM for clear text authentication only and to +ignore any account or session management. Note that Samba always +ignores PAM for authentication in the case of +encrypt passwords = yes. +The reason is that PAM modules cannot support the challenge/response +authentication mechanism needed in the presence of SMB +password encryption. + + +Default: obey pam restrictions = no + + + -- cgit