Custom PAM module to use in Samba
iwan.daniel at gmail.com
Mon Jul 9 14:22:01 UTC 2018
Thanks for your reply Rowland
My answers inline
> > I have a backend service which stores user account and passwords.
> What is this backend service ?
Custom written software with (among other things) user management,
authentication, authorization functionality built-in.
API is exposed through REST and HTTPS
> > It allows authentication of the users provided login & plain password.
> > Passwords are stored as strongly hashed with salt so no easy way for
> > reverse them.
> Hmm, I 'think' when you say 'plain' password, you mean a normal login
> i.e. the user just types their password and if correct, they are logged
That is correct. User enters login & password. For my service, to be able
it needs to know login and that clear text form of a password rather than
it's hashed form.
Hash of the password is calculated and compared with stored in db.
I think clear password is never sent over the wire by SMB client to Samba
in the first place.
> Issue here is using that PAM module in Samba, and compatibility with
> > NTLM or older versions of protocols.
> If you are still using anything older than NTLMv2, then can I suggest
> you find a way to use a more secure authentication method.
> > Also by the look of it Samba is not really PAM compliant due to
> > incompatibility between PAM and SMB protocol.
> > Windbind works probably because LDAP or AD stores passwords NT Hash
> > (I'm assuming here).
> Samba and PAM do work, you just have to set them up correctly.
I think there is a setting
*encrypt passwords = yes*
which affect whether PAM auth is bypasswed or not
And another one
*obey pam restrictions = yes*
Which I'm not sure at the moment what restrictions it applies to.
More information about the samba-technical