<title>Samba and PAM</title>
<para>
-A number of Unix systems (eg: Sun Solaris), as well as the
-xxxxBSD family and Linux, now utilize the Pluggable Authentication
-Modules (PAM) facility to provide all authentication,
-authorization and resource control services. Prior to the
-introduction of PAM, a decision to use an alternative to
-the system password database (<filename>/etc/passwd</filename>)
-would require the provision of alternatives for all programs that provide
-security services. Such a choice would involve provision of
-alternatives to such programs as: <command>login</command>,
+A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux,
+now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
+authorization and resource control services. Prior to the introduction of PAM, a decision
+to use an alternative to the system password database (<filename>/etc/passwd</filename>)
+would require the provision of alternatives for all programs that provide security services.
+Such a choice would involve provision of alternatives to such programs as: <command>login</command>,
<command>passwd</command>, <command>chown</command>, etc.
</para>
<para>
-PAM provides a mechanism that disconnects these security programs
-from the underlying authentication/authorization infrastructure.
-PAM is configured either through one file <filename>/etc/pam.conf</filename> (Solaris),
-or by editing individual files that are located in <filename>/etc/pam.d</filename>.
+PAM provides a mechanism that disconnects these security programs from the underlying
+authentication/authorization infrastructure. PAM is configured either through one file
+<filename>/etc/pam.conf</filename> (Solaris), or by editing individual files that are
+located in <filename>/etc/pam.d</filename>.
</para>
<note>
Linux, the default location is <filename>/lib/security</filename>. If the module
is located outside the default then the path must be specified as:
- <programlisting>
+ <screen>
auth required /other_path/pam_strange_module.so
- </programlisting>
+ </screen>
</para>
</note>
by commenting them out except the calls to <filename>pam_pwdb.so</filename>.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# The PAM configuration file for the `login' service
#
# session optional pam_lastlog.so
# password required pam_cracklib.so retry=3
password required pam_pwdb.so shadow md5
-</programlisting></para>
+</screen></para>
<para>
-PAM allows use of replacable modules. Those available on a
-sample system include:
+PAM allows use of replacable modules. Those available on a sample system include:
</para>
<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput>
-<programlisting>
+<screen>
pam_access.so pam_ftp.so pam_limits.so
pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
pam_cracklib.so pam_group.so pam_listfile.so
pam_radius.so pam_smbpass.so pam_unix_acct.so
pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
pam_userdb.so pam_warn.so pam_unix_session.so
-</programlisting></para>
+</screen></para>
<para>
The following example for the login program replaces the use of
source distribution.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# The PAM configuration file for the `login' service
#
account required pam_smbpass.so nodelay
session required pam_smbpass.so nodelay
password required pam_smbpass.so nodelay
-</programlisting></para>
+</screen></para>
<para>
The following is the PAM configuration file for a particular
Linux system. The default condition uses <filename>pam_pwdb.so</filename>.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# The PAM configuration file for the `samba' service
#
account required pam_pwdb.so audit nodelay
session required pam_pwdb.so nodelay
password required pam_pwdb.so shadow md5
-</programlisting></para>
+</screen></para>
<para>
In the following example the decision has been made to use the
program.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# The PAM configuration file for the `samba' service
#
account required pam_pwdb.so audit nodelay
session required pam_pwdb.so nodelay
password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
-</programlisting></para>
+</screen></para>
<note><para>PAM allows stacking of authentication mechanisms. It is
also possible to pass information obtained within one PAM module through
application (such as ssh).
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# password-sync
#
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
-</programlisting></para>
+</screen></para>
</sect3>
<sect3>
their mail, etc.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# password-migration
#
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password optional pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
-</programlisting></para>
+</screen></para>
</sect3>
<sect3>
the smbpasswd doesn't exist or doesn't match the Unix password.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# password-mature
#
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so use_authtok use_first_pass
session required pam_unix.so
-</programlisting></para>
+</screen></para>
</sect3>
<sect3>
a Kerberos realm.
</para>
-<para><programlisting>
+<para><screen>
#%PAM-1.0
# kdc-pdc
#
password optional pam_smbpass.so nullok use_authtok try_first_pass
password required pam_krb5.so use_authtok try_first_pass
session required pam_krb5.so
-</programlisting></para>
+</screen></para>
</sect3>
</sect2>