[Samba] CryptoCard - PAM or RADIUS?

Simo Sorce idra at samba.org
Wed Sep 20 14:31:31 GMT 2006


On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
> Greetings all,
> 
> I'm working on attempting to get SAMBA to work with a product line 
> called CryptoCard. I *should* be able to get it to work one of two ways, 
> either through the use of CryptoCard's provided PAM module, or through 
> RADIUS authentication.
> 
> Currently, I cannot seem to get PAM authentication to work at all. This 
> is what is in the 'samba' file for PAM:
> auth       required     /lib/security/pam_cap_auth.so 
> server=<insertSERVERipHERE>:624 noeus debug echo
> auth       requires     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> account    required     /lib/security/pam_permit.so
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> password   required     /lib/security/pam_stack.so service=system-auth
> 
> And for the smb.conf file I have the all important setting of 'encrypt 
> passwords = No' to enable PAM authentication
> 
> When attempting to authenticate locally, from the server to the server, 
> I get:
> smbclient -U rhandorf -L \\\\localhost
> Password:
> session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> and in the error logs I get:
> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
>   smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
>   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !

You need a lot more logs.
What I can't understand is how you are supposed to pass credential
authentication via smbclient, are you sending the Smartcard PIN in the
clear over the wire?

> I've looked around to see whether or not SAMBA supports RADIUS 
> Authentication, and I havent seen any documentation that totally says 
> 'yes.'

No. Makes no sense to support any clear text based authentication except
for the historical support for PAM with clear text passwords.

> Asking the vendor yielded the response of "SAMBA then isnt PAM aware; 
> We'd like to support it, but until it is PAM aware we wont."

As you can see we call the PAM stack, tell your vendor to try harder :-)

> Any help would be great.

I don't think PAM is the way to support SmartCard authentication via
Samba.

Simo.



More information about the samba mailing list