[Samba] CryptoCard - PAM or RADIUS?
idra at samba.org
Wed Sep 20 14:31:31 GMT 2006
On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
> Greetings all,
> I'm working on attempting to get SAMBA to work with a product line
> called CryptoCard. I *should* be able to get it to work one of two ways,
> either through the use of CryptoCard's provided PAM module, or through
> RADIUS authentication.
> Currently, I cannot seem to get PAM authentication to work at all. This
> is what is in the 'samba' file for PAM:
> auth required /lib/security/pam_cap_auth.so
> server=<insertSERVERipHERE>:624 noeus debug echo
> auth requires /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_permit.so
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
> password required /lib/security/pam_stack.so service=system-auth
> And for the smb.conf file I have the all important setting of 'encrypt
> passwords = No' to enable PAM authentication
> When attempting to authenticate locally, from the server to the server,
> I get:
> smbclient -U rhandorf -L \\\\localhost
> session setup failed: NT_STATUS_UNSUCCESSFUL
> and in the error logs I get:
> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
> smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
You need a lot more logs.
What I can't understand is how you are supposed to pass credential
authentication via smbclient, are you sending the Smartcard PIN in the
clear over the wire?
> I've looked around to see whether or not SAMBA supports RADIUS
> Authentication, and I havent seen any documentation that totally says
No. Makes no sense to support any clear text based authentication except
for the historical support for PAM with clear text passwords.
> Asking the vendor yielded the response of "SAMBA then isnt PAM aware;
> We'd like to support it, but until it is PAM aware we wont."
As you can see we call the PAM stack, tell your vendor to try harder :-)
> Any help would be great.
I don't think PAM is the way to support SmartCard authentication via
More information about the samba