Using Samba as a proxy authentication service?

David Bannon D.Bannon at
Mon Dec 4 22:12:48 GMT 2000

At 01:09 PM 04/12/2000 +0000, Mike Brodbelt wrote:
>I'd like to able able to use Samba (or samba services, at any rate) to
>allow me to authenticate users against NT Domain accounts from external
>programs. I know that PAM modules and suchlike exist for general logon
>authentication, but my situation is slightly different, and I'm not sure
>of the best way to take advantage of the existing support.

I would set up a pam stack on the samba box and then have your application
authenticate against that. I do so with a couple of CGIs for example. So
you could have a web page that allows them to run a cgi that switches the
vacation parameters. You would need appropriate security in addition to
pam, perhaps only allowing requests from a particular ip subnet ?

Here is pam.c that I link to my (c based) cgi's :

/*  Pam modual to check username/password

cc pam.c -lpam -ldl

David Bannon, Sept 99


#include <security/pam_appl.h>

struct checkpw_cred {
  char *uname;			/* user name */
  char *pass;			/* password */

/* PAM conversation function
 * Accepts: number of messages
 *	    vector of messages
 *	    pointer to response return
 *	    application data
 * Returns: PAM_SUCCESS if OK, response vector filled in, else PAM_CONV_ERR

static int checkpw_conv (int num_msg, const struct pam_message **msg,
			 struct pam_response **resp, void *appdata_ptr)
  int i;
  struct checkpw_cred *cred = (struct checkpw_cred *) appdata_ptr;
  struct pam_response *reply = (struct pam_response *)malloc(sizeof(struct
pam_response) * num_msg);
  for (i = 0; i < num_msg; i++) switch (msg[i]->msg_style) {
  case PAM_PROMPT_ECHO_ON:	/* assume want user name */
    reply[i].resp_retcode = PAM_SUCCESS;
    reply[i].resp = cred->uname;
  case PAM_PROMPT_ECHO_OFF:	/* assume want password */
    reply[i].resp_retcode = PAM_SUCCESS;
    reply[i].resp = cred->pass;
    reply[i].resp_retcode = PAM_SUCCESS;
    reply[i].resp = NULL;
  default:			/* unknown message style */
    /* fs_give ((void **) &reply); */
    return PAM_CONV_ERR;
  *resp = reply;
  return PAM_SUCCESS;

/* Server log in
 * Accepts: user name string
 *	    password string
 * Returns: T if password validated, NIL otherwise

int PamCheck (char *User, char *pass, char *AppName )
  pam_handle_t *hdl;
  struct pam_conv conv;
  struct checkpw_cred cred;
  conv.conv = &checkpw_conv;
  conv.appdata_ptr = &cred;
  cred.uname = User;
  cred.pass = pass;
  if ((pam_start (AppName, User, &conv, &hdl) != PAM_SUCCESS) ) {
        pam_end (hdl,PAM_AUTH_ERR);	
        return 0;
    if (pam_authenticate (hdl,0) != PAM_SUCCESS) {
        pam_end (hdl,PAM_AUTH_ERR);	
        return 0;
    if (pam_acct_mgmt (hdl,0) != PAM_SUCCESS) {
        pam_end (hdl,PAM_AUTH_ERR);	
        return 0;
    if  (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS){
        pam_end (hdl,PAM_AUTH_ERR);	
        return 0;
  pam_end (hdl,PAM_SUCCESS);	/* return success */
  return 1;

/* Dummy main function for stand alone testing.

void main(void) {
    if (PamCheck("davo", "xxxxxx", "testapp")) printf("Yep, positive\n");
    if (PamCheck("davo", "yyyyyy", testapp") == 0) printf("Yep, negative\n");
}  */

David Bannon                      D.Bannon at
School of Biochemistry            Phone 61 03 9479 2197
La Trobe University, Plenty Rd,   Fax   61 03 9479 2467
Bundoora, Vic, Australia, 3083
..... Humpty Dumpty was pushed !

More information about the samba-technical mailing list