[Samba] SAMBA and 2 form factor auth

Russell Handorf rhandorf at handorf.org
Mon Sep 25 15:18:10 GMT 2006 

Hi All,

I havent heard a response back to my previous posts so I am now trying 
from a "broader" topic.

What I have is the following:
A 2 Form Factor Token Authentication system similar to RSA SecureID
A Linux SAMBA 3.0.14a-Debian

I've got the two systems authenticating against each other with RADIUS 
via PAM support. When I tell SAMBA to use this PAM support as well, I 
see the following happen:

======

With a known bad password
08:17:17.406519 IP 192.168.0.200.2582 > crypto.radius: RADIUS, Access 
Request (1), id: 0x2f length: 90
08:17:19.478763 IP crypto.radius > 192.168.0.200.2582: RADIUS, Access 
Reject (3), id: 0x2f length: 20

fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
session setup failed: NT_STATUS_LOGON_FAILURE

======

With the secured Token password:

08:18:57.581672 IP 192.168.0.200.2584 > crypto..radius: RADIUS, Access 
Request (1), id: 0xb3 length: 90
08:18:58.491265 IP crypto.radius > 192.168.0.200.2584: RADIUS, Access 
Accept (2), id: 0xb3 length: 20
08:18:58.531395 IP 192.168.0.200.2585 > crypto.radius: RADIUS, Access 
Request (1), id: 0x99 length: 90
08:18:59.108133 IP crypto.radius > 192.168.0.200.2585: RADIUS, Access 
Reject (3), id: 0x99 length: 20

fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      Network Logon Service
        public          Disk      
        IPC$            IPC       IPC Service (samba file services)
        ADMIN$          IPC       IPC Service (samba file services)
        rhandorf        Disk      Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available

======

So, why does it auth twice? Why doesnt SAMBA keep the first auth session 
as a success, and of course fail on the second when my token has changed?

Attached is the smb.conf file - Someone have some ideas?

Thanks,
r

[global]
        workgroup = <snip>
        server string = samba file services
        netbios name = Fileserver
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
SO_SNDBUF=8192
        preferred master = True
        local master = Yes
        domain master = True
        dns proxy = yes
        remote announce = 192.168.0.255
        os level = 40
        ;domain logons = yes
        ;logon script = logon.bat
        ;logon home = \\%G\%U\.profile
        name resolve order = wins lmhosts bcast
        wins proxy = yes
        ;preserve case = yes
        ;short preserve case = yes
        wins support= yes
        security = user
        #must be set to 'no' to use PAM
        encrypt passwords = No
        update encrypted = No
        allow trusted domains = Yes
        #min password length = 6
        null passwords = No
[homes]
        comments = Home Dir
        browsable = no
        writable = yes
        hide dot files = yes
[netlogon]
        comment = Network Logon Service
        path = /home/netlogon
        guest ok = yes
        writable = no
        share modes = no
        write list = domain_admin
[Profiles]
        path = /%G/%U/.profile
        browseable = no
        guest ok = yes
[public]
        path = /samba/public
        valid users = users
        force group = users
        writeable = Yes
        guest ok = No

More information about the samba mailing list