[Samba] CryptoCard - PAM or RADIUS?
Russell Handorf
rhandorf at handorf.org
Wed Sep 20 20:22:10 GMT 2006
Thanks Simo for your response. I'm working with the vendor a little
more. Here are the details on the PAM error's.
[2006/09/19 07:56:48, 4] auth/pass_check.c:pass_check(621)
pass_check: Checking (PAM) password for user rhandorf (l=6)
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_auth(510)
smb_pam_auth: PAM: Authenticate User: rhandorf
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_auth(535)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
[2006/09/19 07:56:48, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Authentication Failure : Module is unknown
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_passcheck(810)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
The only other authentication method that they support then is RADIUS,
which is clear text as well. Which one does everyone suggest I then try
to tackle with SAMBA support? PAM or RADIUS?
Thanks again,
r
Simo Sorce wrote:
> On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
>
>> Greetings all,
>>
>> I'm working on attempting to get SAMBA to work with a product line
>> called CryptoCard. I *should* be able to get it to work one of two ways,
>> either through the use of CryptoCard's provided PAM module, or through
>> RADIUS authentication.
>>
>> Currently, I cannot seem to get PAM authentication to work at all. This
>> is what is in the 'samba' file for PAM:
>> auth required /lib/security/pam_cap_auth.so
>> server=<insertSERVERipHERE>:624 noeus debug echo
>> auth requires /lib/security/pam_nologin.so
>> account required /lib/security/pam_stack.so service=system-auth
>> account required /lib/security/pam_permit.so
>> session required /lib/security/pam_stack.so service=system-auth
>> session optional /lib/security/pam_console.so
>> password required /lib/security/pam_stack.so service=system-auth
>>
>> And for the smb.conf file I have the all important setting of 'encrypt
>> passwords = No' to enable PAM authentication
>>
>> When attempting to authenticate locally, from the server to the server,
>> I get:
>> smbclient -U rhandorf -L \\\\localhost
>> Password:
>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>
>> and in the error logs I get:
>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
>> smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
>> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
>>
>
> You need a lot more logs.
> What I can't understand is how you are supposed to pass credential
> authentication via smbclient, are you sending the Smartcard PIN in the
> clear over the wire?
>
>
>> I've looked around to see whether or not SAMBA supports RADIUS
>> Authentication, and I havent seen any documentation that totally says
>> 'yes.'
>>
>
> No. Makes no sense to support any clear text based authentication except
> for the historical support for PAM with clear text passwords.
>
>
>> Asking the vendor yielded the response of "SAMBA then isnt PAM aware;
>> We'd like to support it, but until it is PAM aware we wont."
>>
>
> As you can see we call the PAM stack, tell your vendor to try harder :-)
>
>
>> Any help would be great.
>>
>
> I don't think PAM is the way to support SmartCard authentication via
> Samba.
>
> Simo.
>
>
More information about the samba
mailing list