Custom PAM module to use in Samba

Rowland Penny rpenny at samba.org
Mon Jul 9 14:43:45 UTC 2018 

On Mon, 9 Jul 2018 15:22:01 +0100
Daniel Iwan <iwan.daniel at gmail.com> wrote:

> Thanks for your reply Rowland
> 
> My answers inline
> 
> 
> > > I have a backend service which stores user account and passwords.
> >
> > What is this backend service ?
> >
> 
> Custom written software with (among other things) user management,
> authentication, authorization functionality built-in.
> API is exposed through REST and HTTPS
> 
> 
> > > It allows authentication of the users provided login & plain
> > > password. Passwords are stored as strongly hashed with salt so no
> > > easy way for reverse them.
> >
> > Hmm, I 'think' when you say 'plain' password, you mean a normal
> > login i.e. the user just types their password and if correct, they
> > are logged in.
> >
> 
> That is correct. User enters login & password. For my service, to be
> able to authenticate
> it needs to know login and that clear text form of a password rather
> than it's hashed form.
> Hash of the password is calculated and compared with stored in db.
> I think clear password is never sent over the wire by SMB client to
> Samba in the first place.
> 
> > Issue here is using that PAM module in Samba, and compatibility with
> > > NTLM or older versions of protocols.
> >
> > If you are still using anything older than NTLMv2, then can I
> > suggest you find a way to use a more secure authentication method.
> >
> > > Also by the look of it Samba is not really PAM compliant due to
> > > incompatibility between PAM and SMB protocol.
> > > Windbind works probably because LDAP or AD stores passwords NT
> > > Hash (I'm assuming here).
> >
> > Samba and PAM do work, you just have to set them up correctly.
> >
> 
> I think there is a setting
> 
> *encrypt passwords = yes*

That is the default.

> 
> which affect whether PAM auth is bypasswed or not

No it doesn't.

> 
> And another one
> *obey pam restrictions = yes*
> 
> Which I'm not sure at the moment what restrictions it applies to.

even if you set this to 'yes', it will be ignored because 'encrypt
passwords' is set to 'yes'

From what you have posted, it is very probable you could replace
everything you have now with a Samba AD domain.

Rowland

More information about the samba-technical mailing list