Samba over SSH and pam_smb

Greg Kopp gkopp at gregkopp.com
Tue Mar 6 21:21:09 GMT 2001 

I have an interresting situation that I am searching for a solution.

I want to use pam_smb for authenticating SSH connections to a remote server.
The Domain Controller I want to authenticate against is a Win NT 4.0 box
located on our internal lan.

An idea was given to me to set up an SSH tunnel and forward the relative
ports across the internet to a local machine.

All of my machines are RedHat Linux. Some are 6.2, others are 7.0.

I have setup SSH to work without passwords.

I am trying all of this from a bash shell for now. I will automate it when
the time comes.

I open the SSH tunnel to a linux box on my LAN:

[root at remote /]#
ssh -L137:nt4.domain.com:137 -L138:nt4.domain.com:138 -L139:nt4.domain.com:1
39 linux.domain.com

Now, if I execute:

[root at remote /]# smbclient -U user -L NT4 -I 127.0.0.1

WHERE: NT4 is the Netbios name of the NT domain controller

I get:

SSL: Error error setting CA cert locations: error:00000000::lib(0) :func(0)
:reason(0)
trying default locations.
added interface ip=xxx.xxx.xxxx bcast=xxx.xxx.xxx.xxx nmask=255.255.255.192
Password:
Domain=[COMPANY] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

        Sharename      Type      Comment
        ---------      ----      -------
        NETLOGON       Disk      Logon server share
        ADMIN$         Disk      Remote Admin
        IPC$           IPC       Remote IPC
        HP2000C        Printer   HP 2000C Printer
        C$             Disk      Default share
        E$             Disk      Default share
        FP-D250        Printer   Panasonic FP-D250
        print$         Disk      Printer Drivers
        Archives       Disk

        Server               Comment
        ---------            -------
        GKOPP
        NT4
        SCANSTATION          scanner computer

        Workgroup            Master
        ---------            -------
        COMPANY              NT4

So, it would appear that the tunnel is indeed working.

BUT, I can't seem to get pam_smb to agree.

If I put this into /etc/pam_smb.comf:
COMPANY
NT4
NT4

And this into /etc/pam.d/sshd:
#%PAM-1.0
auth       sufficient   /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_smb_auth.so debug
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0077
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so

Authentication fails. Here is a sample of my /var/log/secure:

Mar  6 16:48:36 ds9 sshd[7007]: pam_smb: Local UNIX username/password check
incorrect.
Mar  6 16:48:36 ds9 sshd[7007]: pam_smb: Configuration Data, Primary NT4,
Backup NT4, Domain COMPANY.
Mar  6 16:48:39 ds9 sshd[7007]: pam_smb: Local UNIX username/password check
incorrect.
Mar  6 16:48:39 ds9 sshd[7007]: pam_smb: Configuration Data, Primary NT4,
Backup NT4, Domain COMPANY.

I even tried putting "localhost" and "127.0.0.1" as the primary and/or
backup domain controllers. I get the same results.

I know that this works, because I have this working just fine on the linux
box mentioned above that is on our LAN.

I have looked into solutions like PPP over SSH, but I understand that is
unstable. IPsec and CIPE appear to be extremely complicated to setup, but
may be better solutions in the long run as I wouldn't mind having the SAMBA
shares on remote.company.com show up on the LAN in Network Neighborhood.

I would appreciate any help you might be.

Greg

More information about the samba mailing list