pam_smb authentication

Tom Hallewell hallewellt at rfa.org
Sun Apr 11 16:36:30 GMT 1999 

I am appending some documentation by my colleague Bill Eldridge that was
actually written for our dial-up service, but should work for you
purposes as well.  A couple notes.  
1.)The user must exist in /etc/passwd on the Samba machine or login to
the Samba box will fail. 
2.)In the example, we don't set up home directories for the users, we
are using it for dial in and they usually want to store their data on
the local machine, saving to their directories on the NT server if
neccesary.  So if you use Bill's script to add users, you may want to
change it to explicitly create home directories for your users.  Judging
from your setup, you don't have an existing Linux machine to copy
accounts from, it shouldn't be too hard figure out a script to steal the
user names from NT or any database that contains all your usernames.
Otherwise, I guess you'll have to add everyone in by hand...
3.) Once you have pam_smb running, you can also change any existing
users on the Samba box to authenticate through NT by deleting their
hashed password in /etc/passwd and changing it to a "*".  As the
administrator, you will want to do this to your account for testing
purposes, otherwise you will continue to authenticate normally under PAM
and not understand why nobody else's is working.  Trust me-it'll save
you a lot of unnecessary worries later.  You forget after a couple
months that your account authenticates differently than your users and
you start thinking everyone else's Windows is broken!

I have also  heard that NIS and NIS+ also support domain-wide pam_smb
authentication, but haven't run it; perhaps someone on this list knows
more about this....When the new glibc5 libs are stable and NIS+ a wee
bit more reliable, we're going to give that a go.
Tom Hallewell
hallewellt at rfa.org
Radio Free Asia
Washington DC, USA

				BEGIN ATTACHED MESSAGE


Bill Eldridge
Radio Free Asia

970726

                                           

					(Section on configuring ppp omitted)

The problem with this password setup is that we already have user
accounts set up on both the NT Domain and the Linux mail
server. It would be nice not to have to re-enter all this information
over again, especially since it has to be done interactively,
verifying each password by retyping, rather than entering a load of
passwords at one time in a file.

Unix has one method called "yp" (or "Yellow Pages" before the phone
company sued Sun) for sharing user information between
machines. However, the method we’ve chosen is to use a part of Samba to
interact with the NT Domain and verify users.
Normally, Linux uses PAM (Pluggable Authentication Modules) to check
logins. By setting up Samba to participate in the NT
Domain (see the paper on Samba), we can pass login info for PPP through
PAM and off to the NT Domain Controller,
RFAServer1. This is handled via the pam_smb.rpm package available at:

http://www.csn.ul.ie/~airlied/pam_smb/

http://samba.gorski.net/samba/ftp/pam_smb/

http://samba.gorski.net/samba/ftp/

Once installed with "rpm –Uvh pam_smb.rpm", configuration is handled by
changing the PAM login and ppp information in
/etc/pam.d

 

/etc/pam.d/login:

          auth required /lib/security/pam_securetty.so

                    auth required /lib/security/pam_smb_auth.so # Added

                    #auth required /lib/security/pam_pwdb.so shadow
nullok # Deleted

          auth required /lib/security/pam_nologin.so

          account required /lib/security/pam_pwdb.so

          password required /lib/security/pam_cracklib.so

                    password required /lib/security/pam_pwdb.so shadow
nullok use_authtok

          session required /lib/security/pam_pwdb.so

/etc/pam.d/ppp:

          #%PAM-1.0

          auth required pam_nologin.so

          auth required /lib/security/pam_smb_auth.so # Added

                    #auth required pam_pwdb.so shadow nullok # Deleted

          account required pam_pwdb.so

          session required pam_pwdb.so

The Samba information stays the same:

/etc/pam.d/samba:

          auth required /lib/security/pam_pwdb.so nullok shadow

          account required /lib/security/pam_pwdb.so

           

Now PPP goes to PAM to verify the login info, and PAM passes that info
on to the pam_smb_auth.so library, which sends the
info across the network to RFAServer1. Or it would do that IF we had
changed the password in /etc/passwd to a ‘*’ –
otherwise, the scheme uses the existing Linux password. So we would
change the user entry to look like:

mondalep:*:524:525::/home/mondalep:/bin/bash

But since we no longer care about the user logging in, we can disable
that capability as well by providing a fake home and shell:

mondalep:*:524:525::/nologin:/bin/false

At this point, the user must exist on the NT Server, or PPP will fail
and the modem will hang up. Since we've now replaced real
passwords with asterisks, we no longer have to run the passwd command –
we can set up accounts like:

/usr/sbin/adduser –p "*" –d "/nologin" –s "/bin/false" mondalep

I can then take the password file from our Linux mail server, where all
users are already set up, and using vi, eliminate all info except the
user
names with:

:1,$s/:.*// # From line 1 to end, find the string colon plus 0 or more

# characters, and subsitute nothing.

Eliminating the root accounts and a few others (those in the first 10
lines or so), I save this file as "scottypasswd". Then I use the
bash shell "for" loop to handle everything:

for name in `cat scottypasswd`; do

/usr/sbin/adduser –p "* -d "/nologin" –s "/bin/false" $name

done

 

Aside from some issues for making NT Domain browsing work, this allows
mail and Web browsing dialin from home.

More information about the samba mailing list