[Samba] smbd to authenticate via pam modules
David Komanek
david.komanek at natur.cuni.cz
Thu Sep 8 14:59:14 UTC 2016
Hi,
I have a simple setup with pam modules to use kerberos authentication
(heimdal kdc) for various services, i.e. ssh/scp/sftp, ftp and others. I
would like to connect my standalone smbd (no AD membership) to this
system, but have problems to force smbd to use pam.
local smbpasswd works
spnego + kerberos works with a ticket
but
pam modules are not accessed at all
In my test setup, local samba password differs from the kerberos one, to
be sure, how I got authenticated. If I use
client use spnego = yes
realm = MY.REALM.REDACTED
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
kerberos ticket is verified and I get logged in. After removing those 4
lines, giving the kerberos password ends up with
session setup failed: NT_STATUS_LOGON_FAILURE
and there is nothing logged by pam libraries, so I suppose they are not
called at all (other services are using it successfully and logging
without problems). But as long as I am using plaintext passwords, it
should be going to pam libraries, shouldn't it ? Pam configuration is
working for other services, so I suppose the problem is in my samba setup.
It is samba 4.2.10-Debian on Jessie (Debian 8).
Hopefully it would be obvious to someone here what I am doing wrong.
Thanks in advance,
David
smb.conf:
--------------
[global]
workgroup = WORKGROUP
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 4
panic action = /usr/share/samba/panic-action %d
server role = standalone server
#with the following 4 lines, kerberos ticket is verified and kerberos
authentication works, but this is not through PAM
client use spnego = yes
realm = MY.REALM.REDACTED
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
encrypt passwords = no
security = user
client plaintext auth = yes
client ntlmv2 auth = no
client lanman auth = yes
obey pam restrictions = no
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = no
map to guest = bad user
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
/etc/pam.d/samba
---------------------------
@include common-auth
@include common-account
@include common-session-noninteractive
or alternatively
#%PAM-1.0
auth include common-auth
account include common-account
session include common-session-noninteractive
common-auth
--------------------
auth sufficient pam_krb5.so debug use_first_pass forwardable
auth required pam_unix.so nullok_secure use_first_pass
common-account
-------------------------
account sufficient pam_krb5.so
account required pam_unix.so
common-session-noninteractive
---------------------------------------------
session required pam_unix.so
session required pam_limits.so
More information about the samba
mailing list