Samba and PAM patches for PDC configuration

Sat Mar 15 02:47:20 GMT 2003

Hello,

I wanted to share with you all this patch for Samba
and PAM for configuring SAMBA as the PDC
authenticating Windows 98 users.
As a part of our project, I had worked on configuring
Samba as the primary domain controller and customizing
PAM authentication modules.

I had recompiled Samba version 2.2.2 and PAM version
0.75 installed on Redhat version 7.1.

Here is what I did to get it working:

After configuring smb.conf file to share some
directories and setting Samba Server to run as the
PDC,
I modified some of the source files.

The next thing to do was to set Samba so that it would
not verify the passwords with the passwords saved in
the smbpasswd file.

All the user accounts are maintained in Oracle
Database Server.

So, whenever a user tries to browse network and share
these directories, the dialog box comes up asking for
username and password.

Once the user submits username and password
information,
it gets routed to the PAM functions for
authenticating.

So, for us to authenticate the user accounts through
PAM modules with Oracle Server, we had to bypass some
functions that check the password with the encrypted
passwords stored in the smbpasswd file.

So now after making these changes, once username and
password is entered the information goes to PAM
modules without having to go through routines that
check smbpasswd file.

In the PAM modules, we intercepted the function call
and 
added code to retrieve the password from Oracle Server
for the user who is trying to connect and encrypt that
plain-text password with the same challenge that was
used to encrypt the password entered by the user.

Now after encrypting the user password using
SMBENCRYPT functions, we compare these two passwords
and if match is found we return PAM_SUCCESS or else
PAM_AUTH_ERR.

I have attached two patch files:
One for PAM patch and
Second for Samba source patch.

Please find them as attached.

The patch information is as follows:

After you untar the PAM downloaded source archive,
go to the directory,
Linux-PAM-0.75/modules/pam_permit/ and run the
PAM_AUTH.patch.

For Samba patch, go to the directory:
samba-2.2.2/source and run the SAMBA_PDC.patch.

But you would not be able to use this patch as it is.
Once you apply this patch, you would have to go back
to the PAM source files and add your own code where
you can 
call a perl program or some other program may be to
authenticate user accounts stored in LDAP directory or
some database server or cud be anything.

Actually with LDAP it will be very easy thing to do.
No extra efforts would be required to write SQL*NET
scripts to establish connection with remote database
server.

Thanks,

Bikram.

=====
Bikramjeet Singh Assal,
Phone: (270) 303-9533  (MOBILE), (270) 796-4975 (HOME)
Email: bikramjeet77 at yahoo.com.
Webpage: http://www.wku.edu/~assalbs/index.php

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SAMBA_PDC.patch
Type: application/octet-stream
Size: 42519 bytes
Desc: SAMBA_PDC.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20030314/35669d37/SAMBA_PDC.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PAM_AUTH.patch
Type: application/octet-stream
Size: 36139 bytes
Desc: PAM_AUTH.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20030314/35669d37/PAM_AUTH.obj