Home arrow Site Administration arrow Authentication in Samba

Authentication in Samba

In this second part of a four-part series on handling authentication and authorization in Samba, you will learn about pluggable authentication modules, a challenge/response authentication algorithm developed by Microsoft, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Authentication in Samba
  2. NTLMv1
  3. User Management
  4. Account Storage
By: O'Reilly Media
Rating: starstarstarstarstar / 8
February 14, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Pluggable Authentication Modules (PAM)

Pluggable Authentication Modules (PAM) are shared libraries that can be used in combination to allow an administrator to enforce a specific authentication security policy. For a complete discussion of PAM, first try searching your serverís operating system documentation. Another good source of information is the Linux PAM web site at http://www.kernel.org/pub/linux/libs/pam.

Each PAM module implements one or more of the following functions:

auth
  
User authentication requests

account
  
User account handling, such as password
      expiration and denying locked accounts

session
  
User management related to this specific session,
      such as logging user activity to the systemís utmp 
      file

password
     User password change requests

Samba is able to use PAM to authenticate users and enforce certain authorization controls based on the the configuration of the samba PAM service. On some platforms, such as Solaris, all services are configured in a single configuration file named /etc/pam.conf. On Linux hosts, these settings will be stored in /etc/pam.d/samba. The following configuration instructs the PAM library to verify that the server is not rejecting logins (i.e., the /etc/nologin file does not exist) and then validate the user against /etc/passwd:

  ## /etc/pam.d/samb a
  auth    requisite     pam_nologin.so
  auth    require       pam_unix.so

Our focus is not on PAM configuration specifics, but rather on how Samba, and smbd in particular, interacts with PAM. First it is necessary to verify that Samba was compiled to include the --with-pam configure option. The build output from smbd -b should include the WITH_PAM string if this is the case.

  $ smbd -b | grep WITH_PAM
     
WITH_PAM

If this check fails, return to Chapter 2 and rebuild Samba to include PAM support. You may also need to install additional software to get the PAM development files (e.g., the pam-devel package).

Once you have a PAM-aware version of smbd, it will require a properly configured /etc/pam.d/samba file. Samba makes use of the auth settings in its PAM configura tion file only if clients use clear-text passwords. If the encrypt passwords parameter has been enabled, the auth PAM module lines are ignored completely. However, it is possible to still make use of the remaining three PAM functions. The account and session settings are respected if the obey pam restrictions options is enabled in smb.conf. Any user password change requests that must be synchronized between Sambaís and the operating systemís list of users will pass through the PAM stack if pam password change = yes . Password synchronization is covered later in this chapter, so we will delay the complete discussion until then. Table 5-5 summarizes these two options and their default settings.

Table 5-5. PAM-related parameters

Parameter Value Description Default Scope
obey pam restrictionsboolean

Controls whether smbd respects the account and session PAM configuration settings.

no Global
pam password changeboolean If enabled, smbd will, upon receiving a password change request, use PAM for synchronizing a userís Unix credentials.no Global



 
 
>>> More Site Administration Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: