1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Configuring PAM for distributed but centrally
6 managed authentication</TITLE
9 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
11 TITLE="SAMBA Project Documentation"
12 HREF="samba-howto-collection.html"><LINK
14 TITLE="Optional configuration"
15 HREF="p1346.html"><LINK
17 TITLE="UNIX Permission Bits and Windows NT Access Control Lists"
18 HREF="unix-permissions.html"><LINK
20 TITLE="Hosting a Microsoft Distributed File System tree on Samba"
21 HREF="msdfs.html"></HEAD
32 SUMMARY="Header navigation table"
41 >SAMBA Project Documentation</TH
49 HREF="unix-permissions.html"
78 >Chapter 12. Configuring PAM for distributed but centrally
79 managed authentication</H1
87 >12.1. Samba and PAM</H1
89 >A number of Unix systems (eg: Sun Solaris), as well as the
90 xxxxBSD family and Linux, now utilize the Pluggable Authentication
91 Modules (PAM) facility to provide all authentication,
92 authorization and resource control services. Prior to the
93 introduction of PAM, a decision to use an alternative to
94 the system password database (<TT
98 would require the provision of alternatives for all programs that provide
99 security services. Such a choice would involve provision of
100 alternatives to such programs as: <B
112 >PAM provides a mechanism that disconnects these security programs
113 from the underlying authentication/authorization infrastructure.
114 PAM is configured either through one file <TT
118 or by editing individual files that are located in <TT
123 >The following is an example <TT
125 >/etc/pam.d/login</TT
126 > configuration file.
127 This example had all options been uncommented is probably not usable
128 as it stacks many conditions before allowing successful completion
129 of the login process. Essentially all conditions can be disabled
130 by commenting them out except the calls to <TT
136 CLASS="PROGRAMLISTING"
138 # The PAM configuration file for the `login' service
140 auth required pam_securetty.so
141 auth required pam_nologin.so
142 # auth required pam_dialup.so
143 # auth optional pam_mail.so
144 auth required pam_pwdb.so shadow md5
145 # account requisite pam_time.so
146 account required pam_pwdb.so
147 session required pam_pwdb.so
148 # session optional pam_lastlog.so
149 # password required pam_cracklib.so retry=3
150 password required pam_pwdb.so shadow md5</PRE
153 >PAM allows use of replacable modules. Those available on a
154 sample system include:</P
157 CLASS="PROGRAMLISTING"
158 >$ /bin/ls /lib/security
159 pam_access.so pam_ftp.so pam_limits.so
160 pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
161 pam_cracklib.so pam_group.so pam_listfile.so
162 pam_nologin.so pam_rootok.so pam_tally.so
163 pam_deny.so pam_issue.so pam_mail.so
164 pam_permit.so pam_securetty.so pam_time.so
165 pam_dialup.so pam_lastlog.so pam_mkhomedir.so
166 pam_pwdb.so pam_shells.so pam_unix.so
167 pam_env.so pam_ldap.so pam_motd.so
168 pam_radius.so pam_smbpass.so pam_unix_acct.so
169 pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
170 pam_userdb.so pam_warn.so pam_unix_session.so</PRE
173 >The following example for the login program replaces the use of
177 > module which uses the system
178 password database (<TT
192 > which uses the Samba
193 database which contains the Microsoft MD4 encrypted password
194 hashes. This database is stored in either
197 >/usr/local/samba/private/smbpasswd</TT
201 >/etc/samba/smbpasswd</TT
205 >/etc/samba.d/smbpasswd</TT
207 Samba implementation for your Unix/Linux system. The
211 > module is provided by
212 Samba version 2.2.1 or later. It can be compiled by specifying the
215 >--with-pam_smbpass</B
216 > options when running Samba's
220 > script. For more information
224 > module, see the documentation
227 >source/pam_smbpass</TT
228 > directory of the Samba
229 source distribution.</P
232 CLASS="PROGRAMLISTING"
234 # The PAM configuration file for the `login' service
236 auth required pam_smbpass.so nodelay
237 account required pam_smbpass.so nodelay
238 session required pam_smbpass.so nodelay
239 password required pam_smbpass.so nodelay</PRE
242 >The following is the PAM configuration file for a particular
243 Linux system. The default condition uses <TT
249 CLASS="PROGRAMLISTING"
251 # The PAM configuration file for the `samba' service
253 auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
254 account required /lib/security/pam_pwdb.so audit nodelay
255 session required /lib/security/pam_pwdb.so nodelay
256 password required /lib/security/pam_pwdb.so shadow md5</PRE
259 >In the following example the decision has been made to use the
260 smbpasswd database even for basic samba authentication. Such a
261 decision could also be made for the passwd program and would
262 thus allow the smbpasswd passwords to be changed using the passwd
266 CLASS="PROGRAMLISTING"
268 # The PAM configuration file for the `samba' service
270 auth required /lib/security/pam_smbpass.so nodelay
271 account required /lib/security/pam_pwdb.so audit nodelay
272 session required /lib/security/pam_pwdb.so nodelay
273 password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
276 >Note: PAM allows stacking of authentication mechanisms. It is
277 also possible to pass information obtained within one PAM module through
278 to the next module in the PAM stack. Please refer to the documentation for
279 your particular system implementation for details regarding the specific
280 capabilities of PAM in this environment. Some Linux implmentations also
284 > module that allows all
285 authentication to be configured in a single central file. The
289 > method has some very devoted followers
290 on the basis that it allows for easier administration. As with all issues in
291 life though, every decision makes trade-offs, so you may want examine the
292 PAM documentation for further helpful information.</P
301 >12.2. Distributed Authentication</H1
303 >The astute administrator will realize from this that the
316 HREF="http://rsync.samba.org/"
318 >http://rsync.samba.org/</A
320 will allow the establishment of a centrally managed, distributed
321 user/password database that can also be used by all
322 PAM (eg: Linux) aware programs and applications. This arrangement
323 can have particularly potent advantages compared with the
324 use of Microsoft Active Directory Service (ADS) in so far as
325 reduction of wide area network authentication traffic.</P
334 >12.3. PAM Configuration in smb.conf</H1
336 >There is an option in smb.conf called <A
337 HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
339 >obey pam restrictions</A
341 The following is from the on-line help for this option in SWAT;</P
343 >When Samba 2.2 is configure to enable PAM support (i.e.
347 >), this parameter will
348 control whether or not Samba should obey PAM's account
349 and session management directives. The default behavior
350 is to use PAM for clear text authentication only and to
351 ignore any account or session management. Note that Samba always
352 ignores PAM for authentication in the case of
354 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
356 >encrypt passwords = yes</A
358 The reason is that PAM modules cannot support the challenge/response
359 authentication mechanism needed in the presence of SMB
360 password encryption. </P
364 >obey pam restrictions = no</B
373 SUMMARY="Footer navigation table"
384 HREF="unix-permissions.html"
393 HREF="samba-howto-collection.html"
412 >UNIX Permission Bits and Windows NT Access Control Lists</TD
426 >Hosting a Microsoft Distributed File System tree on Samba</TD