1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Configuring PAM for distributed but centrally
6 managed authentication</TITLE
9 CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
12 TITLE="SAMBA Project Documentation"
13 HREF="samba-howto-collection.html"><LINK
15 TITLE="Optional configuration"
16 HREF="optional.html"><LINK
18 TITLE="UNIX Permission Bits and Windows NT Access Control Lists"
19 HREF="unix-permissions.html"><LINK
21 TITLE="Hosting a Microsoft Distributed File System tree on Samba"
22 HREF="msdfs.html"></HEAD
33 SUMMARY="Header navigation table"
42 >SAMBA Project Documentation</TH
50 HREF="unix-permissions.html"
77 NAME="PAM">Chapter 12. Configuring PAM for distributed but centrally
78 managed authentication</H1
84 NAME="AEN1788">12.1. Samba and PAM</H1
86 >A number of Unix systems (eg: Sun Solaris), as well as the
87 xxxxBSD family and Linux, now utilize the Pluggable Authentication
88 Modules (PAM) facility to provide all authentication,
89 authorization and resource control services. Prior to the
90 introduction of PAM, a decision to use an alternative to
91 the system password database (<TT
95 would require the provision of alternatives for all programs that provide
96 security services. Such a choice would involve provision of
97 alternatives to such programs as: <B
109 >PAM provides a mechanism that disconnects these security programs
110 from the underlying authentication/authorization infrastructure.
111 PAM is configured either through one file <TT
115 or by editing individual files that are located in <TT
120 >The following is an example <TT
122 >/etc/pam.d/login</TT
123 > configuration file.
124 This example had all options been uncommented is probably not usable
125 as it stacks many conditions before allowing successful completion
126 of the login process. Essentially all conditions can be disabled
127 by commenting them out except the calls to <TT
133 CLASS="PROGRAMLISTING"
135 # The PAM configuration file for the `login' service
137 auth required pam_securetty.so
138 auth required pam_nologin.so
139 # auth required pam_dialup.so
140 # auth optional pam_mail.so
141 auth required pam_pwdb.so shadow md5
142 # account requisite pam_time.so
143 account required pam_pwdb.so
144 session required pam_pwdb.so
145 # session optional pam_lastlog.so
146 # password required pam_cracklib.so retry=3
147 password required pam_pwdb.so shadow md5</PRE
150 >PAM allows use of replacable modules. Those available on a
151 sample system include:</P
154 CLASS="PROGRAMLISTING"
155 >$ /bin/ls /lib/security
156 pam_access.so pam_ftp.so pam_limits.so
157 pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
158 pam_cracklib.so pam_group.so pam_listfile.so
159 pam_nologin.so pam_rootok.so pam_tally.so
160 pam_deny.so pam_issue.so pam_mail.so
161 pam_permit.so pam_securetty.so pam_time.so
162 pam_dialup.so pam_lastlog.so pam_mkhomedir.so
163 pam_pwdb.so pam_shells.so pam_unix.so
164 pam_env.so pam_ldap.so pam_motd.so
165 pam_radius.so pam_smbpass.so pam_unix_acct.so
166 pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
167 pam_userdb.so pam_warn.so pam_unix_session.so</PRE
170 >The following example for the login program replaces the use of
174 > module which uses the system
175 password database (<TT
189 > which uses the Samba
190 database which contains the Microsoft MD4 encrypted password
191 hashes. This database is stored in either
194 >/usr/local/samba/private/smbpasswd</TT
198 >/etc/samba/smbpasswd</TT
202 >/etc/samba.d/smbpasswd</TT
204 Samba implementation for your Unix/Linux system. The
208 > module is provided by
209 Samba version 2.2.1 or later. It can be compiled by specifying the
212 >--with-pam_smbpass</B
213 > options when running Samba's
217 > script. For more information
221 > module, see the documentation
224 >source/pam_smbpass</TT
225 > directory of the Samba
226 source distribution.</P
229 CLASS="PROGRAMLISTING"
231 # The PAM configuration file for the `login' service
233 auth required pam_smbpass.so nodelay
234 account required pam_smbpass.so nodelay
235 session required pam_smbpass.so nodelay
236 password required pam_smbpass.so nodelay</PRE
239 >The following is the PAM configuration file for a particular
240 Linux system. The default condition uses <TT
246 CLASS="PROGRAMLISTING"
248 # The PAM configuration file for the `samba' service
250 auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
251 account required /lib/security/pam_pwdb.so audit nodelay
252 session required /lib/security/pam_pwdb.so nodelay
253 password required /lib/security/pam_pwdb.so shadow md5</PRE
256 >In the following example the decision has been made to use the
257 smbpasswd database even for basic samba authentication. Such a
258 decision could also be made for the passwd program and would
259 thus allow the smbpasswd passwords to be changed using the passwd
263 CLASS="PROGRAMLISTING"
265 # The PAM configuration file for the `samba' service
267 auth required /lib/security/pam_smbpass.so nodelay
268 account required /lib/security/pam_pwdb.so audit nodelay
269 session required /lib/security/pam_pwdb.so nodelay
270 password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
273 >Note: PAM allows stacking of authentication mechanisms. It is
274 also possible to pass information obtained within one PAM module through
275 to the next module in the PAM stack. Please refer to the documentation for
276 your particular system implementation for details regarding the specific
277 capabilities of PAM in this environment. Some Linux implmentations also
281 > module that allows all
282 authentication to be configured in a single central file. The
286 > method has some very devoted followers
287 on the basis that it allows for easier administration. As with all issues in
288 life though, every decision makes trade-offs, so you may want examine the
289 PAM documentation for further helpful information.</P
296 NAME="AEN1832">12.2. Distributed Authentication</H1
298 >The astute administrator will realize from this that the
311 HREF="http://rsync.samba.org/"
313 >http://rsync.samba.org/</A
315 will allow the establishment of a centrally managed, distributed
316 user/password database that can also be used by all
317 PAM (eg: Linux) aware programs and applications. This arrangement
318 can have particularly potent advantages compared with the
319 use of Microsoft Active Directory Service (ADS) in so far as
320 reduction of wide area network authentication traffic.</P
327 NAME="AEN1839">12.3. PAM Configuration in smb.conf</H1
329 >There is an option in smb.conf called <A
330 HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
332 >obey pam restrictions</A
334 The following is from the on-line help for this option in SWAT;</P
336 >When Samba 2.2 is configure to enable PAM support (i.e.
340 >), this parameter will
341 control whether or not Samba should obey PAM's account
342 and session management directives. The default behavior
343 is to use PAM for clear text authentication only and to
344 ignore any account or session management. Note that Samba always
345 ignores PAM for authentication in the case of
347 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
349 >encrypt passwords = yes</A
351 The reason is that PAM modules cannot support the challenge/response
352 authentication mechanism needed in the presence of SMB
353 password encryption. </P
357 >obey pam restrictions = no</B
366 SUMMARY="Footer navigation table"
377 HREF="unix-permissions.html"
386 HREF="samba-howto-collection.html"
405 >UNIX Permission Bits and Windows NT Access Control Lists</TD
419 >Hosting a Microsoft Distributed File System tree on Samba</TD