[Samba] Custom Authentication Plugin (passdb backend)
Nick Coons
nick.coons at hyperionworks.com
Mon Mar 27 05:53:22 UTC 2017
Hi Andrew!
On 03/26/2017 04:24 PM, Andrew Bartlett via samba wrote:
> On Sat, 2017-03-25 at 19:30 -0700, Nick Coons via samba wrote:
>> I'm looking to create a "passdb backend" plugin so that Samba can
>> authenticate with our existing custom authentication system.
> Can you describe a little more your current custom authentication
> system and the capabilities it has?
Of course. The data is stored in a MySQL database, but as accessed
through a JSON-RPC client/server model. So we would want to create a
method (or set of methods) that request authentication or other
information from the server.
For instance, we use it for OpenVPN connections. OpenVPN has a facility
that allows us to reference an arbitrary script that exits with status 0
(success) or 1 (failure) to indicate whether or not the user's
authentication attempt was successful. I know that Sambs is more
complicated than that, but that's the idea.
We would be willing to extend the system however we need. For instance,
the password hash that we store is likely incompatible, so we'd need to
store a second hash of the user's password. We'd also need to store the
user's password expiration date, last login timestamp, etc.
> While we have built a pluggable auth and passdb system, creating and
> deploying custom backends has turned out to be much harder to execute
> in practice than originally expected.
> In particular, the auth subsystem only covers NTLM authentication, but
> not password chagnes nor machine account authentication (netlogon
> ServerAuthenticateX), and passdb has so many arms and lets it is quite
> difficult to implement (but more practical).
For us, it would be a read-only system. So we wouldn't need to do
things like allow users to change their passwords, or provide any domain
functionality. This would simply be for authenticating to access
shares, and then using the correct user for filesystem permissions.
> Both require that you have access to the NT hash of the user's password
> (MD4(utf16_le(password)).
> If access to that is available, it may be more practical to present
> your existing DB in something that looks like our normal LDAP tree.
I'm certainly open to this, and this is something that we've put on our
list of possible solutions as well. I assume this would be some sort of
listener on port 389 (or 686 for LDAP with SSL) that when Samba's LDAP
client connects and sends authentication requests (or other requests for
information), we'd pull the info from our system and present it in an
expected way. Never having built an LDAP server, I'm not exactly sure
what this would entail, but probably a lot of reading on the LDAP spec. :-)
> Anyway, if you can discuss what you have and need we can see how we can
> help solve your problems.
I appreciate that.. thank you!
More information about the samba
mailing list