From ad0e01e75059bedde6400529f1a5193ef9735e9b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 25 Oct 2002 15:15:32 +0000 Subject: sync from HEAD (This used to be commit 2eb7f0acd761a11bb0f24010347247074c5ed49a) --- docs/htmldocs/PAM-Authentication-And-Samba.html | 318 ------------------------ 1 file changed, 318 deletions(-) delete mode 100644 docs/htmldocs/PAM-Authentication-And-Samba.html (limited to 'docs/htmldocs/PAM-Authentication-And-Samba.html') diff --git a/docs/htmldocs/PAM-Authentication-And-Samba.html b/docs/htmldocs/PAM-Authentication-And-Samba.html deleted file mode 100644 index 6dc815b87b..0000000000 --- a/docs/htmldocs/PAM-Authentication-And-Samba.html +++ /dev/null @@ -1,318 +0,0 @@ -Configuring PAM for distributed but centrally -managed authentication

Configuring PAM for distributed but centrally -managed authentication


Samba and PAM

A number of Unix systems (eg: Sun Solaris), as well as the -xxxxBSD family and Linux, now utilize the Pluggable Authentication -Modules (PAM) facility to provide all authentication, -authorization and resource control services. Prior to the -introduction of PAM, a decision to use an alternative to -the system password database (/etc/passwd) -would require the provision of alternatives for all programs that provide -security services. Such a choice would involve provision of -alternatives to such programs as: login, -passwd, chown, etc.

PAM provides a mechanism that disconnects these security programs -from the underlying authentication/authorization infrastructure. -PAM is configured either through one file /etc/pam.conf (Solaris), -or by editing individual files that are located in /etc/pam.d.

The following is an example /etc/pam.d/login configuration file. -This example had all options been uncommented is probably not usable -as it stacks many conditions before allowing successful completion -of the login process. Essentially all conditions can be disabled -by commenting them out except the calls to pam_pwdb.so.

#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth 		required	pam_securetty.so
-auth 		required	pam_nologin.so
-# auth 		required	pam_dialup.so
-# auth 		optional	pam_mail.so
-auth		required	pam_pwdb.so shadow md5
-# account    	requisite  	pam_time.so
-account		required	pam_pwdb.so
-session		required	pam_pwdb.so
-# session 	optional	pam_lastlog.so
-# password   	required   	pam_cracklib.so retry=3
-password	required	pam_pwdb.so shadow md5

PAM allows use of replacable modules. Those available on a -sample system include:

$ /bin/ls /lib/security
-pam_access.so    pam_ftp.so          pam_limits.so     
-pam_ncp_auth.so  pam_rhosts_auth.so  pam_stress.so     
-pam_cracklib.so  pam_group.so        pam_listfile.so   
-pam_nologin.so   pam_rootok.so       pam_tally.so      
-pam_deny.so      pam_issue.so        pam_mail.so       
-pam_permit.so    pam_securetty.so    pam_time.so       
-pam_dialup.so    pam_lastlog.so      pam_mkhomedir.so  
-pam_pwdb.so      pam_shells.so       pam_unix.so       
-pam_env.so       pam_ldap.so         pam_motd.so       
-pam_radius.so    pam_smbpass.so      pam_unix_acct.so  
-pam_wheel.so     pam_unix_auth.so    pam_unix_passwd.so
-pam_userdb.so    pam_warn.so         pam_unix_session.so

The following example for the login program replaces the use of -the pam_pwdb.so module which uses the system -password database (/etc/passwd, -/etc/shadow, /etc/group) with -the module pam_smbpass.so which uses the Samba -database which contains the Microsoft MD4 encrypted password -hashes. This database is stored in either -/usr/local/samba/private/smbpasswd, -/etc/samba/smbpasswd, or in -/etc/samba.d/smbpasswd, depending on the -Samba implementation for your Unix/Linux system. The -pam_smbpass.so module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the ---with-pam_smbpass options when running Samba's -configure script. For more information -on the pam_smbpass module, see the documentation -in the source/pam_smbpass directory of the Samba -source distribution.

#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth		required	pam_smbpass.so nodelay
-account		required	pam_smbpass.so nodelay
-session		required	pam_smbpass.so nodelay
-password	required	pam_smbpass.so nodelay

The following is the PAM configuration file for a particular -Linux system. The default condition uses pam_pwdb.so.

#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth       required     /lib/security/pam_pwdb.so nullok nodelay shadow audit
-account    required     /lib/security/pam_pwdb.so audit nodelay
-session    required     /lib/security/pam_pwdb.so nodelay
-password   required     /lib/security/pam_pwdb.so shadow md5

In the following example the decision has been made to use the -smbpasswd database even for basic samba authentication. Such a -decision could also be made for the passwd program and would -thus allow the smbpasswd passwords to be changed using the passwd -program.

#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth       required     /lib/security/pam_smbpass.so nodelay
-account    required     /lib/security/pam_pwdb.so audit nodelay
-session    required     /lib/security/pam_pwdb.so nodelay
-password   required     /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf

Note: PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within on PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implmentations also -provide the pam_stack.so module that allows all -authentication to be configured in a single central file. The -pam_stack.so method has some very devoted followers -on the basis that it allows for easier administration. As with all issues in -life though, every decision makes trade-offs, so you may want examine the -PAM documentation for further helpful information.


Distributed Authentication

The astute administrator will realize from this that the -combination of pam_smbpass.so, -winbindd, and rsync (see -http://rsync.samba.org/) -will allow the establishment of a centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic.


PAM Configuration in smb.conf

There is an option in smb.conf called obey pam restrictions. -The following is from the on-line help for this option in SWAT;

When Samba 2.2 is configure to enable PAM support (i.e. ---with-pam), this parameter will -control whether or not Samba should obey PAM's account -and session management directives. The default behavior -is to use PAM for clear text authentication only and to -ignore any account or session management. Note that Samba always -ignores PAM for authentication in the case of -encrypt passwords = yes. -The reason is that PAM modules cannot support the challenge/response -authentication mechanism needed in the presence of SMB -password encryption.

Default: obey pam restrictions = no

\ No newline at end of file -- cgit