[Samba] Custom Authentication Plugin (passdb backend)

Nick Coons nick.coons at hyperionworks.com
Mon Mar 27 05:53:22 UTC 2017

Hi Andrew!

On 03/26/2017 04:24 PM, Andrew Bartlett via samba wrote:
> On Sat, 2017-03-25 at 19:30 -0700, Nick Coons via samba wrote:
>> I'm looking to create a "passdb backend" plugin so that Samba can
>> authenticate with our existing custom authentication system.

> Can you describe a little more your current custom authentication
> system and the capabilities it has?

Of course.  The data is stored in a MySQL database, but as accessed 
through a JSON-RPC client/server model.  So we would want to create a 
method (or set of methods) that request authentication or other 
information from the server.

For instance, we use it for OpenVPN connections.  OpenVPN has a facility 
that allows us to reference an arbitrary script that exits with status 0 
(success) or 1 (failure) to indicate whether or not the user's 
authentication attempt was successful.  I know that Sambs is more 
complicated than that, but that's the idea.

We would be willing to extend the system however we need.  For instance, 
the password hash that we store is likely incompatible, so we'd need to 
store a second hash of the user's password.  We'd also need to store the 
user's password expiration date, last login timestamp, etc.

> While we have built a pluggable auth and passdb system, creating and
> deploying custom backends has turned out to be much harder to execute
> in practice than originally expected.

> In particular, the auth subsystem only covers NTLM authentication, but
> not password chagnes nor machine account authentication (netlogon
> ServerAuthenticateX), and passdb has so many arms and lets it is quite
> difficult to implement (but more practical).

For us, it would be a read-only system.  So we wouldn't need to do 
things like allow users to change their passwords, or provide any domain 
functionality.  This would simply be for authenticating to access 
shares, and then using the correct user for filesystem permissions.

> Both require that you have access to the NT hash of the user's password
> (MD4(utf16_le(password)).

> If access to that is available, it may be more practical to present
> your existing DB in something that looks like our normal LDAP tree.

I'm certainly open to this, and this is something that we've put on our 
list of possible solutions as well.  I assume this would be some sort of 
listener on port 389 (or 686 for LDAP with SSL) that when Samba's LDAP 
client connects and sends authentication requests (or other requests for 
information), we'd pull the info from our system and present it in an 
expected way.  Never having built an LDAP server, I'm not exactly sure 
what this would entail, but probably a lot of reading on the LDAP spec. :-)

> Anyway, if you can discuss what you have and need we can see how we can
> help solve your problems.

I appreciate that.. thank you!

More information about the samba mailing list