PAM w/ OPIE

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Thu Jan 17 14:34:04 GMT 2002 

Hi Robert,
Samba doesn't use the pam modules for unencrypted password authentication
UNLESS you configure/make samba with the option --with-pam.  Otherwise, it
just gets the password entry via getpwnam/getpwent and uses crypt/bigcrypt
to one way encrypt the plaintext password it is passed and compare it with
what comes back from getpwent/getpwnam...
So the minimum you'd need to get this working is to remove the config.cache,
and rerun configure --with-pam  and do another make to get new binaries.
There may be other subtlies I am not aware of as well...
Hope this helps,
Don

-----Original Message-----
From: Robert Flemming [mailto:flemming at spiralout.net]
Sent: Thursday, January 17, 2002 5:13 PM
To: samba at lists.samba.org
Subject: PAM w/ OPIE


It seems I may be the first to try, but has anyone had any experience in
setting up Samba as a PDC then using the OPIE modules for PAM to try and
setup
an NT domain that requires one time passwords?  Now that you've all answered
no, here's where I'm at.  Samba is up and running as a PDC and functioning
using /etc/passwd and unencrypted passwords, that part I know is good.
After
switching pam_opie.so to required from sufficient things fall apart and
authentication no longer works.  However the catch is I know PAM is passing
things off to the opie module and that it is succeeding because
/etc/opiekeys
shows the sequence number decreasing which would not happen had
authentication
not succeeded.  Turning on debugging for Samba shows a basic password type
failure:

[2002/01/17 21:49:34, 0] passdb/pampass.c:smb_pam_passcheck(828)
  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User flemming !

I'm not sure where to go with this since it is kind of obscure, but the
individual components are nothing too odd and putting them together should
just work.  The silly part is it looks like it is working and the problem is
internal to Samba.  Any thoughts or tips are appreciated.

Robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list