Samba and PAM

[Andrew Bartlett]

Matthew Geddes wrote:
> 
> Martin Sheppard wrote:
> 
> > >I believe Samba only uses PAM for the Unix account side of things (ie,
> > >not authentication, but permissions and RID mapping). Unless you have
> > >configured Samba and all of your Windows machines to not encrypt
> > >passwords. All of this is explained in detail in a text file in the
> > >Samba documentation, I believe.
> >
> > PAM has nothing to do with permissions or RID mapping.
> 
> Each samba user is required to have a unix account on the box in
> question. Usually, this is the passwd file, but if I enable --with-pam,
> I can then have the same data in an LDAP directory instead (for
> example). Given that all of this is happening on machines with encrypted
> passwords, why would that be necessary? I was under the impression that
> Samba uses this stuff for file system permissions.

Samba needs to do things:  It needs to determine who you are, and that
you are in fact authentic and it needs to determine that you have the
right to access a particular file.

Either PAM or encrypted passwords will do for checking identity, but
they don't help figuring out what files you can access.  This is done by
the kernel - samba just sets its effective user-id to the appropriate
user and accesses the file, its up to the kernel to work out the
permissions.

> 
> > Samba will use PAM
> > for authentication when possible, which is only if you have configured it
> > not to use encrypted passwords. If you have encrypted passwords turned on
> > then Samba doesn't have access to the plaintext of the password and so it
> > can't pass the password on to the PAM module.
> 
> Correct.
> 
> Matt

Just one note here, if you somehow send a plain-text password to samba
(ie with smbclient), it will always be checked via PAM/system password
db, even with encrypted passwords turned on.  

-- 
Andrew Bartlett
abartlet at pcug.org.au