Samba and PAM [ Re: VFS Implementation and user authentication ]

[David Lee]

On Fri, 8 Sep 2000, Steve Langasek wrote:

> I remember looking a while back at the possibility of moving NTLM
> authentication into a PAM module for Samba, and I concluded that it wasn't
> really worth trying to do just for the sake of pamification.  The problem,
> IIRC, wasn't so much a need for PAM to be given the plaintext password as it
> was the fact that there's simply nothing "pluggable" about this arrangement,
> at least with the existing PAM API.  A PAM module could be written that uses
> lanman challenge/response for authentication... but the module would be
> specific to Samba, and no other modules could be stacked with it meaningfully
> because they would have no opportunity to interact with the user.

[ Sorry for the delay in this reply. ]

I confess to floundering a little here, even to frame the right questions.

It still seems to me that it would be useful for Samba to be able to use 
PAM to authenticate NT clients.

Suppose (and this is more than hypothetical) one has a UNIX (Solaris) 
system using typical UNIX authentication within itself.  One then adds
lots of client PCs onto which users wish to map their UNIX home directory,
using their UNIX identifier and password.  (That is, there is logically a
single id/pw combination across UNIX and the PCs.)

As described, this requires that plaintext passwords be enabled on the
PC, to allow use (via Samba) of the UNIX crypt(3) against the UNIX
password/shadow file.  The whole of the world, quite rightly, is moving
away from plaintext-over-the-wire, but the above requirements run counter
to this, forcing us back to plaintext.

My idea is to set up, and use PAM to maintain, a parallel file (probably
very similar to "smbpasswd"!).  That is, the user's password is stored
twice: once in the traditional UNIX password/shadow/crypt(3) model, the
other in smbpasswd.  This way, both UNIX and the PCs can, from the user's
perspective, operate with a single logical password (which is maintained 
behind the scenes in two parallel locations, in two parallel encryptions,
from two PAM modules).

Instead of "/etc/pam.conf" having:

   login   auth      required    /usr/lib/security/pam_unix.so.1
   ...
   other   password  required    /usr/lib/security/pam_unix.so.1

it might have something like:

   samba   auth      sufficient  /usr/lib/security/pam_samba.so.1
   login   auth      required    /usr/lib/security/pam_unix.so.1
   ...
   other   password  requisite   /usr/lib/security/pam_unix.so.1
   other   password  required    /usr/lib/security/pam_samba.so.1

(There's probably some missing or erroneous detail above, such as perhaps
using a "use_first_pass" on the last line (if its opposite made sense).)

[ Theoretically, I suppose, one could take it a stage further: ditch
pam_unix, and have UNIX doing its own authentication and password
management via NT-style encryption!  But let's not let that distract us. ]


Summing up: having a pam_samba module (call it pam_ntlm or whatever) 
would seem to be a most useful option for some sites.

Or have I completely and utterly misunderstood something fundamental?

(A completely different alternative: does anyone know whether such
authentication ("lanman challenge/response"?) is possible against an LDAP
server?  That is, PC maps drive from UNIX, which itself uses pam_ldap;
could LDAP (e.g. OpenLDAP) handle lanman challege/response?

Apologies again for not knowing how to frame these questions.

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :