Authentication in Samba (
Page 1 of 4 )
In this second part of a four-part series on handling authentication and authorization in Samba, you will learn about pluggable authentication modules, a challenge/response authentication algorithm developed by Microsoft, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules (PAM) are shared libraries that can be used in combination to allow an administrator to enforce a specific authentication security policy. For a complete discussion of PAM, first try searching your server’s operating system documentation. Another good source of information is the Linux PAM web site at http://www.kernel.org/pub/linux/libs/pam.
Each PAM module implements one or more of the following functions:
auth
User authentication requests
account
User account handling, such as password
expiration and denying locked accounts
session
User management related to this specific session,
such as logging user activity to the system’s utmp
file
password
User password change requests
Samba is able to use PAM to authenticate users and enforce certain authorization controls based on the the configuration of the samba PAM service. On some platforms, such as Solaris, all services are configured in a single configuration file named /etc/pam.conf. On Linux hosts, these settings will be stored in /etc/pam.d/samba. The following configuration instructs the PAM library to verify that the server is not rejecting logins (i.e., the /etc/nologin file does not exist) and then validate the user against /etc/passwd:
## /etc/pam.d/samb a
auth requisite pam_nologin.so
auth require pam_unix.so
Our focus is not on PAM configuration specifics, but rather on how Samba, and smbd in particular, interacts with PAM. First it is necessary to verify that Samba was compiled to include the --with-pam configure option. The build output from smbd -b should include the WITH_PAM string if this is the case.
$ smbd -b | grep WITH_PAM
WITH_PAM
If this check fails, return to Chapter 2 and rebuild Samba to include PAM support. You may also need to install additional software to get the PAM development files (e.g., the pam-devel package).
Once you have a PAM-aware version of smbd, it will require a properly configured /etc/pam.d/samba file. Samba makes use of the auth settings in its PAM configura tion file only if clients use clear-text passwords. If the encrypt passwords parameter has been enabled, the auth PAM module lines are ignored completely. However, it is possible to still make use of the remaining three PAM functions. The account and session settings are respected if the obey pam restrictions options is enabled in smb.conf. Any user password change requests that must be synchronized between Samba’s and the operating system’s list of users will pass through the PAM stack if pam password change = yes . Password synchronization is covered later in this chapter, so we will delay the complete discussion until then. Table 5-5 summarizes these two options and their default settings.
Table 5-5. PAM-related parameters
| Parameter |
Value |
Description |
Default |
Scope |
| obey pam restrictions |
boolean |
Controls whether smbd respects the account and session PAM configuration settings. |
no |
Global |
| pam password change |
boolean |
If enabled, smbd will, upon receiving a password change request, use PAM for synchronizing a user’s Unix credentials. |
no |
Global |
