Samba and PAM

Steve Langasek vorlon at netexpress.net
Fri Mar 30 22:40:45 GMT 2001


Hi Eric,

On Fri, 30 Mar 2001, Eric Reischer wrote:

> Actually, I'm probably trying to get from Philadelphia to New York via
> China here, because my end means is to be able to get samba to pass
> authentication requests to a kerberos4 server.  I found a PAM module for
> kerberos, but I just noticed that 2.2 has support for kerberos.  I'm a
> little fuzzy on one thing though....I'm confused as to what the
> "base-directory" is.  I read the definition in the Configuring Samba
> Chapter 2, but I still don't know what it's looking for in that
> directory.  Libraries, binaries, configuration files.......there's a
> separate folder for each of the above.

Unfortunately, all roads leading from Philadelphia to New York have been
destroyed; you can now only get from New York to Philadelphia, not the other
way around...

Neither PAM nor Kerberos is invoked when encrypted passwords are used between
the Windows client and the Samba server.  This is because encrypted passwords
are passwords that Samba can't /de/crypt -- which means you can't use them
with authentication methods that use other forms of encryption.  Since the
client-server protocol itself isn't Kerberized, the only way to authenticate
against a Kerberos server is for Samba to request a TGT from the KDC and
verify it... by decrypting it with the /plaintext/ password.  So the only
authentication mechanism Samba can use when using encrypted passwords is to
check against a private/smbpasswd file or equivalent (where 'equivalent's
include remote authentication against another SMB server).

Now, you could get your server to authenticate against your KDC by using
plaintext passwords between your clients and your Samba servers, but of course
that compromises the highly-touted security features of Kerberos.

The solution that we're gradually moving towards here is to have a box acting
as a combination KDC+PDC, with some tricks to keep passwords in sync between
the two databases, so that we have a single, centralized authentication server
(plus failover servers) for all services on our network.

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list