docs/htmldocs/PAM-Authentication-And-Samba.html

   1 <HTML
   2 ><HEAD
   3 ><TITLE
   4 >Configuring PAM for distributed but centrally
   5 managed authentication</TITLE
   6 ><META
   7 NAME="GENERATOR"
   8 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
   9 ><BODY
  10 CLASS="ARTICLE"
  11 BGCOLOR="#FFFFFF"
  12 TEXT="#000000"
  13 LINK="#0000FF"
  14 VLINK="#840084"
  15 ALINK="#0000FF"
  16 ><DIV
  17 CLASS="ARTICLE"
  18 ><DIV
  19 CLASS="TITLEPAGE"
  20 ><H1
  21 CLASS="TITLE"
  22 ><A
  23 NAME="PAM"
  24 >Configuring PAM for distributed but centrally
  25 managed authentication</A
  26 ></H1
  27 ><HR></DIV
  28 ><DIV
  29 CLASS="SECT1"
  30 ><H1
  31 CLASS="SECT1"
  32 ><A
  33 NAME="AEN3"
  34 >Samba and PAM</A
  35 ></H1
  36 ><P
  37 >A number of Unix systems (eg: Sun Solaris), as well as the
  38 xxxxBSD family and Linux, now utilize the Pluggable Authentication
  39 Modules (PAM) facility to provide all authentication,
  40 authorization and resource control services. Prior to the
  41 introduction of PAM, a decision to use an alternative to
  42 the system password database (<TT
  43 CLASS="FILENAME"
  44 >/etc/passwd</TT
  45 >)
  46 would require the provision of alternatives for all programs that provide
  47 security services. Such a choice would involve provision of
  48 alternatives to such programs as: <B
  49 CLASS="COMMAND"
  50 >login</B
  51 >,
  52 <B
  53 CLASS="COMMAND"
  54 >passwd</B
  55 >, <B
  56 CLASS="COMMAND"
  57 >chown</B
  58 >, etc.</P
  59 ><P
  60 >PAM provides a mechanism that disconnects these security programs
  61 from the underlying authentication/authorization infrastructure.
  62 PAM is configured either through one file <TT
  63 CLASS="FILENAME"
  64 >/etc/pam.conf</TT
  65 > (Solaris),
  66 or by editing individual files that are located in <TT
  67 CLASS="FILENAME"
  68 >/etc/pam.d</TT
  69 >.</P
  70 ><P
  71 >The following is an example <TT
  72 CLASS="FILENAME"
  73 >/etc/pam.d/login</TT
  74 > configuration file.
  75 This example had all options been uncommented is probably not usable
  76 as it stacks many conditions before allowing successful completion
  77 of the login process. Essentially all conditions can be disabled
  78 by commenting them out except the calls to <TT
  79 CLASS="FILENAME"
  80 >pam_pwdb.so</TT
  81 >.</P
  82 ><P
  83 ><PRE
  84 CLASS="PROGRAMLISTING"
  85 >#%PAM-1.0
  86 # The PAM configuration file for the `login' service
  87 #
  88 auth            required        pam_securetty.so
  89 auth            required        pam_nologin.so
  90 # auth          required        pam_dialup.so
  91 # auth          optional        pam_mail.so
  92 auth            required        pam_pwdb.so shadow md5
  93 # account       requisite       pam_time.so
  94 account         required        pam_pwdb.so
  95 session         required        pam_pwdb.so
  96 # session       optional        pam_lastlog.so
  97 # password      required        pam_cracklib.so retry=3
  98 password        required        pam_pwdb.so shadow md5</PRE
  99 ></P
 100 ><P
 101 >PAM allows use of replacable modules. Those available on a
 102 sample system include:</P
 103 ><P
 104 ><PRE
 105 CLASS="PROGRAMLISTING"
 106 >$ /bin/ls /lib/security
 107 pam_access.so    pam_ftp.so          pam_limits.so
 108 pam_ncp_auth.so  pam_rhosts_auth.so  pam_stress.so
 109 pam_cracklib.so  pam_group.so        pam_listfile.so
 110 pam_nologin.so   pam_rootok.so       pam_tally.so
 111 pam_deny.so      pam_issue.so        pam_mail.so
 112 pam_permit.so    pam_securetty.so    pam_time.so
 113 pam_dialup.so    pam_lastlog.so      pam_mkhomedir.so
 114 pam_pwdb.so      pam_shells.so       pam_unix.so
 115 pam_env.so       pam_ldap.so         pam_motd.so
 116 pam_radius.so    pam_smbpass.so      pam_unix_acct.so
 117 pam_wheel.so     pam_unix_auth.so    pam_unix_passwd.so
 118 pam_userdb.so    pam_warn.so         pam_unix_session.so</PRE
 119 ></P
 120 ><P
 121 >The following example for the login program replaces the use of
 122 the <TT
 123 CLASS="FILENAME"
 124 >pam_pwdb.so</TT
 125 > module which uses the system
 126 password database (<TT
 127 CLASS="FILENAME"
 128 >/etc/passwd</TT
 129 >,
 130 <TT
 131 CLASS="FILENAME"
 132 >/etc/shadow</TT
 133 >, <TT
 134 CLASS="FILENAME"
 135 >/etc/group</TT
 136 >) with
 137 the module <TT
 138 CLASS="FILENAME"
 139 >pam_smbpass.so</TT
 140 > which uses the Samba
 141 database which contains the Microsoft MD4 encrypted password
 142 hashes. This database is stored in either
 143 <TT
 144 CLASS="FILENAME"
 145 >/usr/local/samba/private/smbpasswd</TT
 146 >,
 147 <TT
 148 CLASS="FILENAME"
 149 >/etc/samba/smbpasswd</TT
 150 >, or in
 151 <TT
 152 CLASS="FILENAME"
 153 >/etc/samba.d/smbpasswd</TT
 154 >, depending on the
 155 Samba implementation for your Unix/Linux system. The
 156 <TT
 157 CLASS="FILENAME"
 158 >pam_smbpass.so</TT
 159 > module is provided by
 160 Samba version 2.2.1 or later. It can be compiled by specifying the
 161 <B
 162 CLASS="COMMAND"
 163 >--with-pam_smbpass</B
 164 > options when running Samba's
 165 <TT
 166 CLASS="FILENAME"
 167 >configure</TT
 168 > script.  For more information
 169 on the <TT
 170 CLASS="FILENAME"
 171 >pam_smbpass</TT
 172 > module, see the documentation
 173 in the <TT
 174 CLASS="FILENAME"
 175 >source/pam_smbpass</TT
 176 > directory of the Samba
 177 source distribution.</P
 178 ><P
 179 ><PRE
 180 CLASS="PROGRAMLISTING"
 181 >#%PAM-1.0
 182 # The PAM configuration file for the `login' service
 183 #
 184 auth            required        pam_smbpass.so nodelay
 185 account         required        pam_smbpass.so nodelay
 186 session         required        pam_smbpass.so nodelay
 187 password        required        pam_smbpass.so nodelay</PRE
 188 ></P
 189 ><P
 190 >The following is the PAM configuration file for a particular
 191 Linux system. The default condition uses <TT
 192 CLASS="FILENAME"
 193 >pam_pwdb.so</TT
 194 >.</P
 195 ><P
 196 ><PRE
 197 CLASS="PROGRAMLISTING"
 198 >#%PAM-1.0
 199 # The PAM configuration file for the `samba' service
 200 #
 201 auth       required     /lib/security/pam_pwdb.so nullok nodelay shadow audit
 202 account    required     /lib/security/pam_pwdb.so audit nodelay
 203 session    required     /lib/security/pam_pwdb.so nodelay
 204 password   required     /lib/security/pam_pwdb.so shadow md5</PRE
 205 ></P
 206 ><P
 207 >In the following example the decision has been made to use the
 208 smbpasswd database even for basic samba authentication. Such a
 209 decision could also be made for the passwd program and would
 210 thus allow the smbpasswd passwords to be changed using the passwd
 211 program.</P
 212 ><P
 213 ><PRE
 214 CLASS="PROGRAMLISTING"
 215 >#%PAM-1.0
 216 # The PAM configuration file for the `samba' service
 217 #
 218 auth       required     /lib/security/pam_smbpass.so nodelay
 219 account    required     /lib/security/pam_pwdb.so audit nodelay
 220 session    required     /lib/security/pam_pwdb.so nodelay
 221 password   required     /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
 222 ></P
 223 ><P
 224 >Note: PAM allows stacking of authentication mechanisms. It is
 225 also possible to pass information obtained within on PAM module through
 226 to the next module in the PAM stack. Please refer to the documentation for
 227 your particular system implementation for details regarding the specific
 228 capabilities of PAM in this environment. Some Linux implmentations also
 229 provide the <TT
 230 CLASS="FILENAME"
 231 >pam_stack.so</TT
 232 > module that allows all
 233 authentication to be configured in a single central file. The
 234 <TT
 235 CLASS="FILENAME"
 236 >pam_stack.so</TT
 237 > method has some very devoted followers
 238 on the basis that it allows for easier administration. As with all issues in
 239 life though, every decision makes trade-offs, so you may want examine the
 240 PAM documentation for further helpful information.</P
 241 ></DIV
 242 ><DIV
 243 CLASS="SECT1"
 244 ><HR><H1
 245 CLASS="SECT1"
 246 ><A
 247 NAME="AEN47"
 248 >Distributed Authentication</A
 249 ></H1
 250 ><P
 251 >The astute administrator will realize from this that the
 252 combination of <TT
 253 CLASS="FILENAME"
 254 >pam_smbpass.so</TT
 255 >,
 256 <B
 257 CLASS="COMMAND"
 258 >winbindd</B
 259 >, and <B
 260 CLASS="COMMAND"
 261 >rsync</B
 262 > (see
 263 <A
 264 HREF="http://rsync.samba.org/"
 265 TARGET="_top"
 266 >http://rsync.samba.org/</A
 267 >)
 268 will allow the establishment of a centrally managed, distributed
 269 user/password database that can also be used by all
 270 PAM (eg: Linux) aware programs and applications. This arrangement
 271 can have particularly potent advantages compared with the
 272 use of Microsoft Active Directory Service (ADS) in so far as
 273 reduction of wide area network authentication traffic.</P
 274 ></DIV
 275 ><DIV
 276 CLASS="SECT1"
 277 ><HR><H1
 278 CLASS="SECT1"
 279 ><A
 280 NAME="AEN54"
 281 >PAM Configuration in smb.conf</A
 282 ></H1
 283 ><P
 284 >There is an option in smb.conf called <A
 285 HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
 286 TARGET="_top"
 287 >obey pam restrictions</A
 288 >.
 289 The following is from the on-line help for this option in SWAT;</P
 290 ><P
 291 >When Samba 2.2 is configure to enable PAM support (i.e.
 292 <TT
 293 CLASS="CONSTANT"
 294 >--with-pam</TT
 295 >), this parameter will
 296 control whether or not Samba should obey PAM's account
 297 and session management directives. The default behavior
 298 is to use PAM for clear text authentication only and to
 299 ignore any account or session management. Note that Samba always
 300 ignores PAM for authentication in the case of
 301 <A
 302 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
 303 TARGET="_top"
 304 >encrypt passwords = yes</A
 305 >.
 306 The reason is that PAM modules cannot support the challenge/response
 307 authentication mechanism needed in the presence of SMB
 308 password encryption. </P
 309 ><P
 310 >Default: <B
 311 CLASS="COMMAND"
 312 >obey pam restrictions = no</B
 313 ></P
 314 ></DIV
 315 ></DIV
 316 ></BODY
 317 ></HTML
 318 >