AuthRewrite Possbilities (was Re: Alternative Auth Methods.)

Andrew Bartlett abartlet at pcug.org.au
Thu Nov 1 01:11:01 GMT 2001 

There seems to be a constant babble as people want to do interesting
things with Authentication.  I've been working in this area for quite
months now, and can now hold out some promise...

The task is not nearly as difficult as it used to be.  I have done a
large amount of work towards allowing this kind of thing (committed only
24 hours ago), so with a little more code it is quite possible.  (In
HEAD, where I am working).

There are a number of approaches, and a number of issues to be worked
out.

PASSDB:
The best approach is the 'passdb' approach, where you write a custom
passdb module, and that module queries the SQL database to get the
user's SAM_ACCOUNT, containing the various password hashes.  This is
then compared in the same way that a smbpasswd file is compared.

AuthRewrite Backend:
The other way is to write an authentication backend, (look at the code
in smbd/auth*.c) and to have it query the database/remote
server/whatever you like and return a SAM_ACCOUNT (and a few other
things) as fully filled out as possible.

For example, I think that it would be *very* neat to be able to send the
NTLM challange/response packet to a modified kerberos server, where they
could be checked.  This would give a single authentication database that
is much easier to keep tabs on.

There are *lots* of possibilities here - I've tried to create a flexible
(but sane) interface and I hope others can make good use of it.  In
particular it can change to meet the needs of developers.

The main issue with both these approaches is 'what local system user
should I become'?  If you intend to have local system users of the same
names, then it is trivial, other options include mapping all users to a
common guest account.

RESTRICTIONS:

A number of operating systems have 'account lockout/disabled' mechanisms
that samba currently doesn't honor.  I've been working with Edmund Lam
<epl at unimelb.edu.au> on Tru64 TCB (see patch 494 on
samba.org/samba-patches), but I know there must be others.  It is now
possible to add a simple amount of code to disable/restrict these users
in the same way /bin/login might.  We now have a single choke point -
check_password() - no login will be accepted except via this point.

Kerberos:

Currently kerberos support (which Samba HEAD now supports) is tacked on
the side.  This will be moved inside the authentication subsystem as
soon as I get a chance.

I know that a number of people are interested in this, so if you have
ideas or questions about how the code works, or proposed patches, give
me a yell.

Note that is work is only in the HEAD development branch and due to the
scale of the work *will not* be merged into the 2.2 series, it will
appear as Samba 3.0 whenever that appears.

Andrew Bartlett

Sean Elble wrote:
> 
> Jason,
> 
> This question has come up rather frequently lately, and probably should be
> added to a FAQ. Anyway, no functionallity exists in Samba to authenticate to
> a SQL database, and such an option would probably be a rather difficult
> piece of code to create. If this is truly what you want, you might want to
> look for a PAM module that allows you to authenticate to a SQL database, and
> then build Samba with PAM support, and use PAM through Samba to authenticate
> your Windows users. This isn't a perfect solution, as it requires you to use
> clear-text passwords, but it would indeed work. Hope that helps.
> 
> -----------------------------------------------
> Sean P. Elble
> Editor, Writer, Co-Webmaster
> ReactiveLinux.com (Formerly MaximumLinux.org)
> http://www.reactivelinux.com/
> elbles at reactivelinux.com
> -----------------------------------------------
> 
> ----- Original Message -----
> From: "Jason C. Leach" <jleach at mail.ocis.net>
> To: <samba at lists.samba.org>
> Sent: Wednesday, October 31, 2001 11:37 PM
> Subject: Alternative Auth Methods.
> 
> > hi,
> >
> > Are there any alternative authentication methods for Samba? Other
> > thank the smbpasswd file?  I'd like to do PostgreSQL or mySQL. Why?
> > Because I can do Exim/IMAP/POP3 Apache/Zope with SQL, if I could do
> > Samba it would wrap it up into one nice DB for authentication.
> >
> > It does not have to be much, just the ability to get the data from
> > a SQL query rather than a flat file query.
> >
> > Anyone interested in working on this if it does not exist?

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list