[Samba] CryptoCard - PAM or RADIUS?
Russell Handorf
rhandorf at handorf.org
Fri Sep 22 16:09:35 GMT 2006
Greetings all,
not being able to get PAM to work correctly, I then tried their RADIUS
server approach. I am now getting closer to success with this problem. I
see the RADIUS traffic push and pull; it authenticates successfully once
and then, on a second authentication attempt, fails (as the card
sequence most likely changed).
Below is what I am entering at the CLI, and am now getting output:
fileserver:/etc/pam.d# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[<snip>]
Sharename Type Comment
--------- ---- -------
homes Disk
public Disk
IPC$ IPC IPC Service
ADMIN$ IPC IPC Service
rhandorf Disk Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available
and in the auth.log
Sep 22 09:03:46 localhost smbd[9625]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=samba ruser= rhost=127.0.0.1 user=rhandorf
the samba pam file contains the following:
auth sufficient pam_radius_auth.so debug conf=/etc/raddb/server
auth required pam_unix.so nullok_secure
account required pam_unix.so
session required pam_unix.so
Windows always reports back with "\\fileserver is not accessible. You
might not have permission to use this network resource..." error.
Any idea's as to how I can attack this one?
Thanks again all,
r
Russell Handorf wrote:
> Thanks Simo for your response. I'm working with the vendor a little
> more. Here are the details on the PAM error's.
>
> [2006/09/19 07:56:48, 4] auth/pass_check.c:pass_check(621)
> pass_check: Checking (PAM) password for user rhandorf (l=6)
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(459)
> smb_pam_start: PAM: Init user: rhandorf
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(476)
> smb_pam_start: PAM: setting rhost to: 127.0.0.1
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(485)
> smb_pam_start: PAM: setting tty
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(493)
> smb_pam_start: PAM: Init passed for user: rhandorf
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_auth(510)
> smb_pam_auth: PAM: Authenticate User: rhandorf
> [2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_auth(535)
> smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
> [2006/09/19 07:56:48, 2] auth/pampass.c:smb_pam_error_handler(73)
> smb_pam_error_handler: PAM: Authentication Failure : Module is unknown
> [2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_passcheck(810)
> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
> [2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_end(440)
> smb_pam_end: PAM: PAM_END OK.
>
>
> The only other authentication method that they support then is RADIUS,
> which is clear text as well. Which one does everyone suggest I then
> try to tackle with SAMBA support? PAM or RADIUS?
>
> Thanks again,
> r
>
>
> Simo Sorce wrote:
>> On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
>>
>>> Greetings all,
>>>
>>> I'm working on attempting to get SAMBA to work with a product line
>>> called CryptoCard. I *should* be able to get it to work one of two
>>> ways, either through the use of CryptoCard's provided PAM module, or
>>> through RADIUS authentication.
>>>
>>> Currently, I cannot seem to get PAM authentication to work at all.
>>> This is what is in the 'samba' file for PAM:
>>> auth required /lib/security/pam_cap_auth.so
>>> server=<insertSERVERipHERE>:624 noeus debug echo
>>> auth requires /lib/security/pam_nologin.so
>>> account required /lib/security/pam_stack.so service=system-auth
>>> account required /lib/security/pam_permit.so
>>> session required /lib/security/pam_stack.so service=system-auth
>>> session optional /lib/security/pam_console.so
>>> password required /lib/security/pam_stack.so service=system-auth
>>>
>>> And for the smb.conf file I have the all important setting of
>>> 'encrypt passwords = No' to enable PAM authentication
>>>
>>> When attempting to authenticate locally, from the server to the
>>> server, I get:
>>> smbclient -U rhandorf -L \\\\localhost
>>> Password:
>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>>
>>> and in the error logs I get:
>>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
>>> smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
>>> [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
>>> smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User
>>> rhandorf !
>>>
>>
>> You need a lot more logs.
>> What I can't understand is how you are supposed to pass credential
>> authentication via smbclient, are you sending the Smartcard PIN in the
>> clear over the wire?
>>
>>
>>> I've looked around to see whether or not SAMBA supports RADIUS
>>> Authentication, and I havent seen any documentation that totally
>>> says 'yes.'
>>>
>>
>> No. Makes no sense to support any clear text based authentication except
>> for the historical support for PAM with clear text passwords.
>>
>>
>>> Asking the vendor yielded the response of "SAMBA then isnt PAM
>>> aware; We'd like to support it, but until it is PAM aware we wont."
>>>
>>
>> As you can see we call the PAM stack, tell your vendor to try harder :-)
>>
>>
>>> Any help would be great.
>>>
>>
>> I don't think PAM is the way to support SmartCard authentication via
>> Samba.
>>
>> Simo.
>>
>>
More information about the samba
mailing list