Custom PAM module to use in Samba
rpenny at samba.org
Mon Jul 9 13:46:09 UTC 2018
On Mon, 9 Jul 2018 14:31:04 +0100
Daniel Iwan <iwan.daniel at gmail.com> wrote:
> I have a backend service which stores user account and passwords.
What is this backend service ?
> It allows authentication of the users provided login & plain password.
> Passwords are stored as strongly hashed with salt so no easy way for
> reverse them.
Hmm, I 'think' when you say 'plain' password, you mean a normal login
i.e. the user just types their password and if correct, they are logged
> I would like those accounts, or at least some of them to have access
> to Samba shares.
> For that reason I was thinking of using custom PAM module which would
> send credentials (login,pwd) over secure connection to my
> authentication service.
Which is ?
> Issue here is using that PAM module in Samba, and compatibility with
> NTLM or older versions of protocols.
If you are still using anything older than NTLMv2, then can I suggest
you find a way to use a more secure authentication method.
> Also by the look of it Samba is not really PAM compliant due to
> incompatibility between PAM and SMB protocol.
> Windbind works probably because LDAP or AD stores passwords NT Hash
> (I'm assuming here).
Samba and PAM do work, you just have to set them up correctly.
> Would it be possible to hook into winbind somehow to hand of
> authentication part to my service?
Very probably, but we don't know what your backend service is.
More information about the samba-technical