Pluggable Authentication Modules (PAM) are shared libraries that can be used in combination to allow an administrator to enforce a specific authentication security policy. For a complete discussion of PAM, first try searching your serverís operating system documentation. Another good source of information is the Linux PAM web site at http://www.kernel.org/pub/linux/libs/pam.
Each PAM module implements one or more of the following functions:
auth User authentication requests
account User account handling, such as password expiration and denying locked accounts
session User management related to this specific session, such as logging user activity to the systemís utmp file
password User password change requests
Samba is able to use PAM to authenticate users and enforce certain authorization controls based on the the configuration of the samba PAM service. On some platforms, such as Solaris, all services are configured in a single configuration file named /etc/pam.conf. On Linux hosts, these settings will be stored in /etc/pam.d/samba. The following configuration instructs the PAM library to verify that the server is not rejecting logins (i.e., the /etc/nologin file does not exist) and then validate the user against /etc/passwd:
## /etc/pam.d/samb a auth requisite pam_nologin.so auth require pam_unix.so
Our focus is not on PAM configuration specifics, but rather on how Samba, and smbd in particular, interacts with PAM. First it is necessary to verify that Samba was compiled to include the --with-pam configure option. The build output from smbd -b should include the WITH_PAM string if this is the case.
$ smbd -b | grep WITH_PAM WITH_PAM
If this check fails, return to Chapter 2 and rebuild Samba to include PAM support. You may also need to install additional software to get the PAM development files (e.g., the pam-devel package).
Once you have a PAM-aware version of smbd, it will require a properly configured /etc/pam.d/samba file. Samba makes use of the auth settings in its PAM configura tion file only if clients use clear-text passwords. If the encrypt passwords parameter has been enabled, the auth PAM module lines are ignored completely. However, it is possible to still make use of the remaining three PAM functions. The account and session settings are respected if the obey pam restrictions options is enabled in smb.conf. Any user password change requests that must be synchronized between Sambaís and the operating systemís list of users will pass through the PAM stack if pam password change = yes . Password synchronization is covered later in this chapter, so we will delay the complete discussion until then. Table 5-5 summarizes these two options and their default settings.
Table 5-5. PAM-related parameters
obey pam restrictions
Controls whether smbd respects the account and session PAM configuration settings.
pam password change
If enabled, smbd will, upon receiving a password change request, use PAM for synchronizing a userís Unix credentials.