Using Samba as a proxy authentication service?
David Bannon
D.Bannon at latrobe.edu.au
Mon Dec 4 22:12:48 GMT 2000
At 01:09 PM 04/12/2000 +0000, Mike Brodbelt wrote:
>I'd like to able able to use Samba (or samba services, at any rate) to
>allow me to authenticate users against NT Domain accounts from external
>programs. I know that PAM modules and suchlike exist for general logon
>authentication, but my situation is slightly different, and I'm not sure
>of the best way to take advantage of the existing support.
>
I would set up a pam stack on the samba box and then have your application
authenticate against that. I do so with a couple of CGIs for example. So
you could have a web page that allows them to run a cgi that switches the
vacation parameters. You would need appropriate security in addition to
pam, perhaps only allowing requests from a particular ip subnet ?
Here is pam.c that I link to my (c based) cgi's :
/* Pam modual to check username/password
cc pam.c -lpam -ldl
David Bannon, Sept 99
*/
#include <security/pam_appl.h>
struct checkpw_cred {
char *uname; /* user name */
char *pass; /* password */
};
/* PAM conversation function
* Accepts: number of messages
* vector of messages
* pointer to response return
* application data
* Returns: PAM_SUCCESS if OK, response vector filled in, else PAM_CONV_ERR
*/
static int checkpw_conv (int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
int i;
struct checkpw_cred *cred = (struct checkpw_cred *) appdata_ptr;
struct pam_response *reply = (struct pam_response *)malloc(sizeof(struct
pam_response) * num_msg);
for (i = 0; i < num_msg; i++) switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_ON: /* assume want user name */
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = cred->uname;
break;
case PAM_PROMPT_ECHO_OFF: /* assume want password */
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = cred->pass;
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = NULL;
break;
default: /* unknown message style */
/* fs_give ((void **) &reply); */
return PAM_CONV_ERR;
}
*resp = reply;
return PAM_SUCCESS;
}
/* Server log in
* Accepts: user name string
* password string
* Returns: T if password validated, NIL otherwise
*/
int PamCheck (char *User, char *pass, char *AppName )
{
pam_handle_t *hdl;
struct pam_conv conv;
struct checkpw_cred cred;
conv.conv = &checkpw_conv;
conv.appdata_ptr = &cred;
cred.uname = User;
cred.pass = pass;
if ((pam_start (AppName, User, &conv, &hdl) != PAM_SUCCESS) ) {
pam_end (hdl,PAM_AUTH_ERR);
return 0;
}
if (pam_authenticate (hdl,0) != PAM_SUCCESS) {
pam_end (hdl,PAM_AUTH_ERR);
return 0;
}
if (pam_acct_mgmt (hdl,0) != PAM_SUCCESS) {
pam_end (hdl,PAM_AUTH_ERR);
return 0;
}
if (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS){
pam_end (hdl,PAM_AUTH_ERR);
return 0;
}
pam_end (hdl,PAM_SUCCESS); /* return success */
return 1;
}
/* Dummy main function for stand alone testing.
void main(void) {
if (PamCheck("davo", "xxxxxx", "testapp")) printf("Yep, positive\n");
if (PamCheck("davo", "yyyyyy", testapp") == 0) printf("Yep, negative\n");
} */
------------------------------------------------------------
David Bannon D.Bannon at latrobe.edu.au
School of Biochemistry Phone 61 03 9479 2197
La Trobe University, Plenty Rd, Fax 61 03 9479 2467
Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au
------------------------------------------------------------
..... Humpty Dumpty was pushed !
More information about the samba-technical
mailing list