[Samba] CryptoCard - PAM or RADIUS?

Russell Handorf rhandorf at handorf.org
Fri Sep 22 16:09:35 GMT 2006

Greetings all,

not being able to get PAM to work correctly, I then tried their RADIUS 
server approach. I am now getting closer to success with this problem. I 
see the RADIUS traffic push and pull; it authenticates successfully once 
and then, on a second authentication attempt, fails (as the card 
sequence most likely changed).

Below is what I am entering at the CLI, and am now getting output:

fileserver:/etc/pam.d# smbclient -U rhandorf -L \\\\localhost
Domain=[<snip>] OS=[Unix] Server=[<snip>]

        Sharename       Type      Comment
        ---------       ----      -------
        homes           Disk     
        public          Disk     
        IPC$            IPC       IPC Service
        ADMIN$          IPC       IPC Service
        rhandorf        Disk      Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available

and in the auth.log

Sep 22 09:03:46 localhost smbd[9625]: (pam_unix) authentication failure; 
logname= uid=0 euid=0 tty=samba ruser= rhost=  user=rhandorf

the samba pam file contains the following:

auth sufficient pam_radius_auth.so debug conf=/etc/raddb/server
auth    required        pam_unix.so nullok_secure
account required        pam_unix.so
session required        pam_unix.so

Windows always reports back with "\\fileserver is not accessible. You 
might not have permission to use this network resource..." error.

Any idea's as to how I can attack this one?

Thanks again all,


Russell Handorf wrote:
> Thanks Simo for your response. I'm working with the vendor a little 
> more. Here are the details on the PAM error's.
> [2006/09/19 07:56:48, 4] auth/pass_check.c:pass_check(621)
>  pass_check: Checking (PAM) password for user rhandorf (l=6)
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(459)
>  smb_pam_start: PAM: Init user: rhandorf
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(476)
>  smb_pam_start: PAM: setting rhost to:
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(485)
>  smb_pam_start: PAM: setting tty
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(493)
>  smb_pam_start: PAM: Init passed for user: rhandorf
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_auth(510)
>  smb_pam_auth: PAM: Authenticate User: rhandorf
> [2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_auth(535)
>  smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
> [2006/09/19 07:56:48, 2] auth/pampass.c:smb_pam_error_handler(73)
>  smb_pam_error_handler: PAM: Authentication Failure : Module is unknown
> [2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_passcheck(810)
>  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_end(440)
>  smb_pam_end: PAM: PAM_END OK.
> The only other authentication method that they support then is RADIUS, 
> which is clear text as well. Which one does everyone suggest I then 
> try to tackle with SAMBA support? PAM or RADIUS?
> Thanks again,
> r
> Simo Sorce wrote:
>> On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
>>> Greetings all,
>>> I'm working on attempting to get SAMBA to work with a product line 
>>> called CryptoCard. I *should* be able to get it to work one of two 
>>> ways, either through the use of CryptoCard's provided PAM module, or 
>>> through RADIUS authentication.
>>> Currently, I cannot seem to get PAM authentication to work at all. 
>>> This is what is in the 'samba' file for PAM:
>>> auth       required     /lib/security/pam_cap_auth.so 
>>> server=<insertSERVERipHERE>:624 noeus debug echo
>>> auth       requires     /lib/security/pam_nologin.so
>>> account    required     /lib/security/pam_stack.so service=system-auth
>>> account    required     /lib/security/pam_permit.so
>>> session    required     /lib/security/pam_stack.so service=system-auth
>>> session    optional     /lib/security/pam_console.so
>>> password   required     /lib/security/pam_stack.so service=system-auth
>>> And for the smb.conf file I have the all important setting of 
>>> 'encrypt passwords = No' to enable PAM authentication
>>> When attempting to authenticate locally, from the server to the 
>>> server, I get:
>>> smbclient -U rhandorf -L \\\\localhost
>>> Password:
>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>> and in the error logs I get:
>>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
>>>   smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
>>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
>>>   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User 
>>> rhandorf !
>> You need a lot more logs.
>> What I can't understand is how you are supposed to pass credential
>> authentication via smbclient, are you sending the Smartcard PIN in the
>> clear over the wire?
>>> I've looked around to see whether or not SAMBA supports RADIUS 
>>> Authentication, and I havent seen any documentation that totally 
>>> says 'yes.'
>> No. Makes no sense to support any clear text based authentication except
>> for the historical support for PAM with clear text passwords.
>>> Asking the vendor yielded the response of "SAMBA then isnt PAM 
>>> aware; We'd like to support it, but until it is PAM aware we wont."
>> As you can see we call the PAM stack, tell your vendor to try harder :-)
>>> Any help would be great.
>> I don't think PAM is the way to support SmartCard authentication via
>> Samba.
>> Simo.

More information about the samba mailing list