Chapter 25. PAM based Distributed Authentication

This chapter you should help you to deploy winbind based authentication on any PAM enabled -Unix/Linux system. Winbind can be used to enable user level application access authentication +UNIX/Linux system. Winbind can be used to enable user level application access authentication from any MS Windows NT Domain, MS Windows 200x Active Directory based domain, or any Samba based domain environment. It will also help you to configure PAM based local host access controls that are appropriate to your Samba configuration. @@ -8,9 +8,9 @@ controls that are appropriate to your Samba configuration. In addition to knowing how to configure winbind into PAM, you will learn generic PAM management possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.

Note

-The use of Winbind require more than PAM configuration alone. Please refer to the Winbind chapter. -

Features and Benefits

-A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, +The use of Winbind require more than PAM configuration alone. Please refer to the Winbind chapter. +

Features and Benefits

+A number of UNIX systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, authorization and resource control services. Prior to the introduction of PAM, a decision to use an alternative to the system password database (/etc/passwd) @@ -23,38 +23,38 @@ authentication/authorization infrastructure. PAM is configured either through o /etc/pam.conf (Solaris), or by editing individual files that are located in /etc/pam.d.

-On PAM enabled Unix/Linux systems it is an easy matter to configure the system to use any +On PAM enabled UNIX/Linux systems it is an easy matter to configure the system to use any authentication backend, so long as the appropriate dynamically loadable library modules are available for it. The backend may be local to the system, or may be centralised on a remote server.

PAM support modules are available for: -

/etc/passwd

- There are several PAM modules that interact with this standard Unix user +

/etc/passwd:

+ There are several PAM modules that interact with this standard UNIX user database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so and pam_userdb.so. -

Kerberos

Kerberos:

The pam_krb5.so module allows the use of any Kerberos compliant server. This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially Microsoft Active Directory (if enabled). -

LDAP

LDAP:

The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory. -

NetWare Bindery

NetWare Bindery:

The pam_ncp_auth.so module allows authentication off any bindery enabled NetWare Core Protocol based server. -

SMB Password

SMB Password:

This module, called pam_smbpass.so, will allow user authentication off the passdb backend that is configured in the Samba smb.conf file. -

SMB Server

SMB Server:

The pam_smb_auth.so module is the original MS Windows networking authentication tool. This module has been somewhat outdated by the Winbind module. -

Winbind

Winbind:

The pam_winbind.so module allows Samba to obtain authentication from any MS Windows Domain Controller. It can just as easily be used to authenticate users for access to any PAM enabled application. -

RADIUS

RADIUS:

There is a PAM RADIUS (Remote Access Dial-In User Service) authentication module. In most cases the administrator will need to locate the source code for this tool and compile and install it themselves. RADIUS protocols are @@ -67,12 +67,12 @@ of distributed samba domain controllers that can provide wide are network bandwi efficient authentication services for PAM capable systems. In effect, this allows the deployment of centrally managed and maintained distributed authentication from a single user account database. -

Technical Discussion

PAM is designed to provide the system administrator with a great deal of flexibility in configuration of the privilege granting applications of their system. The local configuration of system security controlled by PAM is contained in one of two places: either the single system file, /etc/pam.conf; or the /etc/pam.d/ directory. -

PAM Configuration Syntax

In this section we discuss the correct syntax of and generic options respected by entries to these files. PAM specific tokens in the configuration file are case insensitive. The module paths, however, are case sensitive since they indicate a file's name and reflect the case dependence of typical file-systems. @@ -87,32 +87,31 @@ default location then it is not necessary to specify the path. In the case of Linux, the default location is /lib/security. If the module is located outside the default then the path must be specified as:

+
 auth  required  /other_path/pam_strange_module.so
 

-
Anatomy of /etc/pam.d Entries

+
Anatomy of /etc/pam.d Entries

 The remaining information in this subsection was taken from the documentation of the Linux-PAM
 project. For more information on PAM, see 
-
-http://ftp.kernel.org/pub/linux/libs/pam The Official Linux-PAM home page.
+The Official Linux-PAM home page
 

 A general configuration line of the /etc/pam.conf file has the following form:
 

-
+
 service-name   module-type   control-flag   module-path   args
 

 

 Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
 way of configuring Linux-PAM is via the contents of the /etc/pam.d/ directory.
 Once we have explained the meaning of the above tokens, we will describe this method.
-
service-name
-

+
service-name:

 		The name of the service associated with this entry. Frequently the service name is the conventional
 		name of the given application. For example, `ftpd', `rlogind' and `su', etc. .
 		

 		There is a special service-name, reserved for defining a default authentication mechanism. It has
 		the name `OTHER' and may be specified in either lower or upper case characters. Note, when there
 		is a module specified for a named service, the `OTHER' entries are ignored.
-		
module-type
-

+		
module-type:

 		One of (currently) four types of module. The four types are as follows:
 		

 			auth: this module type provides two aspects of authenticating the user.
@@ -134,7 +133,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
 			password: this last module type is required for updating the authentication
 			token associated with the user. Typically, there is one module for each `challenge/response'
 			based authentication (auth) module-type.
-			
control-flag
-

+			
control-flag:

 		The control-flag is used to indicate how the PAM library will react to the success or failure of the
 		module it is associated with. Since modules can be stacked (modules of the same type execute in series,
 		one after another), the control-flags determine the relative importance of each module. The application
@@ -178,9 +177,9 @@ Once we have explained the meaning of the above tokens, we will describe this me
 		The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
 		over how the user is authenticated. This form of the control flag is delimited with square brackets and
 		consists of a series of value=action tokens:
-		
-		[value1=action1 value2=action2 ...]
-		

+		
+[value1=action1 value2=action2 ...]
+

 		Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
 		system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
 		new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
@@ -235,7 +234,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
 		[ ... value=action ... ] control syntax, it is possible for an application to be configured
 		to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
 		mode for older, legacy, applications.
-		
module-path
-

+		
module-path:

 		The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
 		module path is `/', it is assumed to be a complete path. If this is not the case, the given module path is appended
 		to the default module path: /lib/security (but see the notes above).
@@ -246,7 +245,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
 		to syslog(3). For a list of generic options see the next section.
 		

 		Note, if you wish to include spaces in an argument, you should surround that argument with square brackets. For example:
-		
+		
 squid auth required pam_mysql.so user=passwd_query passwd=mada \
         db=eminence [query=select user_name from internet_service where \
                      user_name='%u' and password=PASSWORD('%p') and \
@@ -254,19 +253,19 @@ squid auth required pam_mysql.so user=passwd_query passwd=mada \
 

 		Note, when using this convention, you can include `[' characters inside the string, and if you wish to include a `]'
 		character inside the string that will survive the argument parsing, you should use `\['. In other words:
-		
+		
 [..[..\]..]    -->   ..[..]..
 

 		Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the
 		side of caution) to make the authentication process fail. A corresponding error is written to the system log files
 		with a call to syslog(3). 
-		
Example System Configurations

+

Example System Configurations

The following is an example /etc/pam.d/login configuration file. This example had all options been uncommented is probably not usable as it stacks many conditions before allowing successful completion of the login process. Essentially all conditions can be disabled by commenting them out except the calls to pam_pwdb.so. -

PAM: original login config

+
PAM: original login config
 #%PAM-1.0
 # The PAM configuration file for the `login' service
 #
@@ -281,10 +280,10 @@ session      required    pam_pwdb.so
 # session    optional    pam_lastlog.so
 # password   required    pam_cracklib.so retry=3
 password     required    pam_pwdb.so shadow md5
-
PAM: login using pam_smbpass

+

PAM: login using pam_smbpass

PAM allows use of replaceable modules. Those available on a sample system include:

$/bin/ls /lib/security -

+
 pam_access.so    pam_ftp.so          pam_limits.so     
 pam_ncp_auth.so  pam_rhosts_auth.so  pam_stress.so     
 pam_cracklib.so  pam_group.so        pam_listfile.so   
@@ -308,7 +307,7 @@ hashes. This database is stored in either
 /usr/local/samba/private/smbpasswd, 
 /etc/samba/smbpasswd, or in 
 /etc/samba.d/smbpasswd, depending on the 
-Samba implementation for your Unix/Linux system. The 
+Samba implementation for your UNIX/Linux system. The 
 pam_smbpass.so module is provided by 
 Samba version 2.2.1 or later. It can be compiled by specifying the 
 --with-pam_smbpass options when running Samba's
@@ -316,7 +315,7 @@ Samba version 2.2.1 or later. It can be compiled by specifying the
 on the pam_smbpass module, see the documentation
 in the source/pam_smbpass directory of the Samba 
 source distribution.
-
+
 #%PAM-1.0
 # The PAM configuration file for the `login' service
 #
@@ -327,7 +326,7 @@ password    required    pam_smbpass.so nodelay
 

 The following is the PAM configuration file for a particular 
 Linux system. The default condition uses pam_pwdb.so.
-
+
 #%PAM-1.0
 # The PAM configuration file for the `samba' service
 #
@@ -341,7 +340,7 @@ smbpasswd database even for basic samba authentication. Such a
 decision could also be made for the passwd program and would 
 thus allow the smbpasswd passwords to be changed using the passwd 
 program.
-
+
 #%PAM-1.0
 # The PAM configuration file for the `samba' service
 #
@@ -360,24 +359,24 @@ authentication to be configured in a single central file. The
 on the basis that it allows for easier administration. As with all issues in 
 life though, every decision makes trade-offs, so you may want examine the 
 PAM documentation for further helpful information.
-

The following are examples of the use of pam_smbpass.so in the format of Linux /etc/pam.d/ files structure. Those wishing to implement this tool on other platforms will need to adapt this appropriately. -

debug	log more debugging info
audit	like debug, but also logs unknown usernames
use_first_pass	don't prompt the user for passwords; take them from PAM_ items instead
try_first_pass	try to get the password from a previous PAM module, fall back to prompting the user
use_authtok	like try_first_pass, but fail if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)
not_set_pass	don't make passwords used by this module available to other modules.
nodelay	don't insert ~1 second delays on authentication failure.
nullok	null passwords are allowed.
nonull	null passwords are not allowed. Used to override the Samba configuration.
migrate	only meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication.
smbconf=`file`	specify an alternate path to the `smb.conf` file.

debug	log more debugging info
audit	like debug, but also logs unknown usernames
use_first_pass	don't prompt the user for passwords; take them from PAM_ items instead
try_first_pass	try to get the password from a previous PAM module, fall back to prompting the user
use_authtok	like try_first_pass, but fail if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)
not_set_pass	don't make passwords used by this module available to other modules.
nodelay	don't insert ~1 second delays on authentication failure.
nullok	null passwords are allowed.
nonull	null passwords are not allowed. Used to override the Samba configuration.
migrate	only meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication.
smbconf=`file`	specify an alternate path to the `smb.conf` file.

Prev	Up	Next
Chapter 24. Desktop Profile Management	Home	Chapter 26. Integrating MS Windows networks with Samba

Prev	Up	Next
Chapter 24. Desktop Profile Management	Home	Chapter 26. Integrating MS Windows networks with Samba