[Samba] SAMBA and 2 form factor auth

Russell Handorf rhandorf at handorf.org
Mon Sep 25 15:18:10 GMT 2006

Hi All,

I havent heard a response back to my previous posts so I am now trying 
from a "broader" topic.

What I have is the following:
A 2 Form Factor Token Authentication system similar to RSA SecureID
A Linux SAMBA 3.0.14a-Debian

I've got the two systems authenticating against each other with RADIUS 
via PAM support. When I tell SAMBA to use this PAM support as well, I 
see the following happen:


With a known bad password
08:17:17.406519 IP > crypto.radius: RADIUS, Access 
Request (1), id: 0x2f length: 90
08:17:19.478763 IP crypto.radius > RADIUS, Access 
Reject (3), id: 0x2f length: 20

fileserver:~# smbclient -U rhandorf -L \\\\localhost
session setup failed: NT_STATUS_LOGON_FAILURE


With the secured Token password:

08:18:57.581672 IP > crypto..radius: RADIUS, Access 
Request (1), id: 0xb3 length: 90
08:18:58.491265 IP crypto.radius > RADIUS, Access 
Accept (2), id: 0xb3 length: 20
08:18:58.531395 IP > crypto.radius: RADIUS, Access 
Request (1), id: 0x99 length: 90
08:18:59.108133 IP crypto.radius > RADIUS, Access 
Reject (3), id: 0x99 length: 20

fileserver:~# smbclient -U rhandorf -L \\\\localhost
Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      Network Logon Service
        public          Disk      
        IPC$            IPC       IPC Service (samba file services)
        ADMIN$          IPC       IPC Service (samba file services)
        rhandorf        Disk      Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available


So, why does it auth twice? Why doesnt SAMBA keep the first auth session 
as a success, and of course fail on the second when my token has changed?

Attached is the smb.conf file - Someone have some ideas?


        workgroup = <snip>
        server string = samba file services
        netbios name = Fileserver
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
        preferred master = True
        local master = Yes
        domain master = True
        dns proxy = yes
        remote announce =
        os level = 40
        ;domain logons = yes
        ;logon script = logon.bat
        ;logon home = \\%G\%U\.profile
        name resolve order = wins lmhosts bcast
        wins proxy = yes
        ;preserve case = yes
        ;short preserve case = yes
        wins support= yes
        security = user
        #must be set to 'no' to use PAM
        encrypt passwords = No
        update encrypted = No
        allow trusted domains = Yes
        #min password length = 6
        null passwords = No
        comments = Home Dir
        browsable = no
        writable = yes
        hide dot files = yes
        comment = Network Logon Service
        path = /home/netlogon
        guest ok = yes
        writable = no
        share modes = no
        write list = domain_admin
        path = /%G/%U/.profile
        browseable = no
        guest ok = yes
        path = /samba/public
        valid users = users
        force group = users
        writeable = Yes
        guest ok = No

More information about the samba mailing list