PAM, samba, and syslog
Yan Seiner
yan at cardinalengineering.com
Sat Jan 12 03:23:03 GMT 2002
Andrew Bartlett wrote:
>
> I use the --with-utmp configure option (activated with utmp = yes in
> smb.conf) for this kind of thing.
>
I've comiled samba --with-pam, -with-syslog, and --with-utmp; I'll play
with it for a while.
> > I am setting up a system where all users will log in to one samba
> > server, then access samba shares on another server. All authentication
> > is being done against the first samba server using pam_smb_auth.
>
> You should not do it that way. Setup either security = server or
> security = domain between the two servers, but don't force clients down
> to plaintext just to refer logins.
>
> (and set encrypt passwords = yes).
Is this that much of an added risk? My users have the same password for
POP, and it's sent in the clear. Asking them to maintain two passwords
is a little too much, and most win9x mail clients don't support secure
pop.
Also, I will shortly have DHCP set up to allow only known MAC adresses,
and the firewall opens only once the DHCP address is assigned, and
closes when the lease expires.
The reason I want to log samga logins to syslog is so I can allow access
to the file server only for authenticated samba users. I can pipe samba
syslog messages to a script that will turn firewalling to the server on
and off based on authenticated logins. I think I can do that with
pam_warn and obey pam restrictions = no, and stil maintain encrypted
logins while getting a record in syslog. Then it's a matter of piping
smbd syslog messages to a script that opens and closes the firewall.
My user accounts have no login shell on any of my servers, so even if an
account does get compromised, they still can't get shell access. They
could, of course, wreak havoc in the files. All login accounts use ssh.
So I guess this leads to the greater question of security in the real
world. How are others out there addressing this?
--Yan
--
Daddy, did all the hair that fell off your head stick to your arms?
Akari, age 4
...
oberon.cardhome.lan: 5:50am up 6 days, 10:09, 5 users, load average:
0.73, 0.24, 0.09
More information about the samba
mailing list