[Samba] 'multi-layered' authentication

webster at lexmark.com webster at lexmark.com
Thu Jan 22 23:20:30 GMT 2004 

Thanks for the reply.
I am missing something(s) here, & I apologize for that.

You are saying that there is still no way to use PAM on a Samba
server for authenticating WindowsXP (requires encrypted) clients?

If that's the case, is there any way to do what I want?

Are you saying to use Samba's 'smbpasswd' file,
or something besides PAM, for the authentication,
but use PAM for the user account restriction?

Can I do encrypted authentication for Samba against an LDAP server
which I don't control (anonymous bind) ?


To:     webster at lexmark.com
cc:     Andrew Bartlett <abartlet at samba.org>, samba at lists.samba.org 
Subject:        Re: [Samba] 'multi-layered' authentication

On Thu, 2004-01-22 at 10:34, webster at lexmark.com wrote:
> Much thanks for the reply.
>
>
> Now, please tell me that this paragraph, from the description for
> 'obey pam restrictions' in smb.conf(5), is old (& false in Samba 3):
>
> "Note that Samba always ignores PAM for authentication in the case of
>  encrypt passwords = yes.  The reason is that PAM modules cannot
> support the challenge/response authentication mechanism needed
> in the presence of SMB password encryption."

This paragraph is correct (if slightly badly worded).  We honour account
and session modules, but not auth modules.

'pam password change' causes us to honer password modules, btw.

Andrew Bartlett
--
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
On Sat, 2004-01-17 at 07:00, webster at lexmark.com wrote:
> I need to allow [read] access to a Samba server using both IP filtering 
&
> UserIDs .
>
> For a given list of IP subnets, any user should have access.
> Outside these 'trusted' subnets, I need to do User authentication.
>
> I can handle the User authentication OK in several ways.
> However, I don't see any way to do the 'short circuit' allow for some 
IPs,
> then use User authentication after that.
> If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets
> are denied, & not allowed to try logging-in .
>
> Any ideas?
>
> I originally thought that PAM would give me this functionality, but now 
I
> don't see it.
> Is PAM at all popular for Samba 'authentication' ?

You could set 'obey pam restrictions', and then write an 'account'
module the enforced these restrictions.  That assumes you want to always
require passwords, but only allow some particular accounts from the
untrusted IPs.

Andrew Bartlett
--
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list