docs/htmldocs/PAM-Authentication-And-Samba.html

   1 <HTML
   2 ><HEAD
   3 ><TITLE
   4 >Configuring PAM for distributed but centrally
   5 managed authentication</TITLE
   6 ><META
   7 NAME="GENERATOR"
   8 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
   9 ><BODY
  10 CLASS="ARTICLE"
  11 BGCOLOR="#FFFFFF"
  12 TEXT="#000000"
  13 LINK="#0000FF"
  14 VLINK="#840084"
  15 ALINK="#0000FF"
  16 ><DIV
  17 CLASS="ARTICLE"
  18 ><DIV
  19 CLASS="TITLEPAGE"
  20 ><H1
  21 CLASS="TITLE"
  22 ><A
  23 NAME="PAM"
  24 >Configuring PAM for distributed but centrally
  25 managed authentication</A
  26 ></H1
  27 ><HR></DIV
  28 ><DIV
  29 CLASS="SECT1"
  30 ><H1
  31 CLASS="SECT1"
  32 ><A
  33 NAME="AEN3"
  34 >Samba and PAM</A
  35 ></H1
  36 ><P
  37 >A number of Unix systems (eg: Sun Solaris), as well as the
  38 xxxxBSD family and Linux, now utilize the Pluggable Authentication
  39 Modules (PAM) facility to provide all authentication,
  40 authorization and resource control services. Prior to the
  41 introduction of PAM, a decision to use an alternative to
  42 the system password database (<TT
  43 CLASS="FILENAME"
  44 >/etc/passwd</TT
  45 >)
  46 would require the provision of alternatives for all programs that provide
  47 security services. Such a choice would involve provision of
  48 alternatives to such programs as: <B
  49 CLASS="COMMAND"
  50 >login</B
  51 >,
  52 <B
  53 CLASS="COMMAND"
  54 >passwd</B
  55 >, <B
  56 CLASS="COMMAND"
  57 >chown</B
  58 >, etc.</P
  59 ><P
  60 >PAM provides a mechanism that disconnects these security programs
  61 from the underlying authentication/authorization infrastructure.
  62 PAM is configured either through one file <TT
  63 CLASS="FILENAME"
  64 >/etc/pam.conf</TT
  65 > (Solaris),
  66 or by editing individual files that are located in <TT
  67 CLASS="FILENAME"
  68 >/etc/pam.d</TT
  69 >.</P
  70 ><P
  71 >The following is an example <TT
  72 CLASS="FILENAME"
  73 >/etc/pam.d/login</TT
  74 > configuration file.
  75 This example had all options been uncommented is probably not usable
  76 as it stacks many conditions before allowing successful completion
  77 of the login process. Essentially all conditions can be disabled
  78 by commenting them out except the calls to <TT
  79 CLASS="FILENAME"
  80 >pam_pwdb.so</TT
  81 >.</P
  82 ><P
  83 ><PRE
  84 CLASS="PROGRAMLISTING"
  85 >#%PAM-1.0
  86 # The PAM configuration file for the `login' service
  87 #
  88 auth            required        pam_securetty.so
  89 auth            required        pam_nologin.so
  90 # auth          required        pam_dialup.so
  91 # auth          optional        pam_mail.so
  92 auth            required        pam_pwdb.so shadow md5
  93 # account       requisite       pam_time.so
  94 account         required        pam_pwdb.so
  95 session         required        pam_pwdb.so
  96 # session       optional        pam_lastlog.so
  97 # password      required        pam_cracklib.so retry=3
  98 password        required        pam_pwdb.so shadow md5</PRE
  99 ></P
 100 ><P
 101 >PAM allows use of replacable modules. Those available on a
 102 sample system include:</P
 103 ><P
 104 ><PRE
 105 CLASS="PROGRAMLISTING"
 106 >$ /bin/ls /lib/security
 107 pam_access.so    pam_ftp.so          pam_limits.so
 108 pam_ncp_auth.so  pam_rhosts_auth.so  pam_stress.so
 109 pam_cracklib.so  pam_group.so        pam_listfile.so
 110 pam_nologin.so   pam_rootok.so       pam_tally.so
 111 pam_deny.so      pam_issue.so        pam_mail.so
 112 pam_permit.so    pam_securetty.so    pam_time.so
 113 pam_dialup.so    pam_lastlog.so      pam_mkhomedir.so
 114 pam_pwdb.so      pam_shells.so       pam_unix.so
 115 pam_env.so       pam_ldap.so         pam_motd.so
 116 pam_radius.so    pam_smbpass.so      pam_unix_acct.so
 117 pam_wheel.so     pam_unix_auth.so    pam_unix_passwd.so
 118 pam_userdb.so    pam_warn.so         pam_unix_session.so</PRE
 119 ></P
 120 ><P
 121 >The following example for the login program replaces the use of
 122 the <TT
 123 CLASS="FILENAME"
 124 >pam_pwdb.so</TT
 125 > module which uses the system
 126 password database (<TT
 127 CLASS="FILENAME"
 128 >/etc/passwd</TT
 129 >,
 130 <TT
 131 CLASS="FILENAME"
 132 >/etc/shadow</TT
 133 >, <TT
 134 CLASS="FILENAME"
 135 >/etc/group</TT
 136 >) with
 137 the module <TT
 138 CLASS="FILENAME"
 139 >pam_smbpass.so</TT
 140 > which uses the Samba
 141 database which contains the Microsoft MD4 encrypted password
 142 hashes. This database is stored in either
 143 <TT
 144 CLASS="FILENAME"
 145 >/usr/local/samba/private/smbpasswd</TT
 146 >,
 147 <TT
 148 CLASS="FILENAME"
 149 >/etc/samba/smbpasswd</TT
 150 >, or in
 151 <TT
 152 CLASS="FILENAME"
 153 >/etc/samba.d/smbpasswd</TT
 154 >, depending on the
 155 Samba implementation for your Unix/Linux system. The
 156 <TT
 157 CLASS="FILENAME"
 158 >pam_smbpass.so</TT
 159 > module is provided by
 160 Samba version 2.2.1 or later. It can be compiled only if the
 161 <TT
 162 CLASS="CONSTANT"
 163 >--with-pam --with-pam_smbpass</TT
 164 > options are both
 165 provided to the Samba <B
 166 CLASS="COMMAND"
 167 >configure</B
 168 > program.</P
 169 ><P
 170 ><PRE
 171 CLASS="PROGRAMLISTING"
 172 >#%PAM-1.0
 173 # The PAM configuration file for the `login' service
 174 #
 175 auth            required        pam_smbpass.so nodelay
 176 account         required        pam_smbpass.so nodelay
 177 session         required        pam_smbpass.so nodelay
 178 password        required        pam_smbpass.so nodelay</PRE
 179 ></P
 180 ><P
 181 >The following is the PAM configuration file for a particular
 182 Linux system. The default condition uses <TT
 183 CLASS="FILENAME"
 184 >pam_pwdb.so</TT
 185 >.</P
 186 ><P
 187 ><PRE
 188 CLASS="PROGRAMLISTING"
 189 >#%PAM-1.0
 190 # The PAM configuration file for the `samba' service
 191 #
 192 auth       required     /lib/security/pam_pwdb.so nullok nodelay shadow audit
 193 account    required     /lib/security/pam_pwdb.so audit nodelay
 194 session    required     /lib/security/pam_pwdb.so nodelay
 195 password   required     /lib/security/pam_pwdb.so shadow md5</PRE
 196 ></P
 197 ><P
 198 >In the following example the decision has been made to use the
 199 smbpasswd database even for basic samba authentication. Such a
 200 decision could also be made for the passwd program and would
 201 thus allow the smbpasswd passwords to be changed using the passwd
 202 program.</P
 203 ><P
 204 ><PRE
 205 CLASS="PROGRAMLISTING"
 206 >#%PAM-1.0
 207 # The PAM configuration file for the `samba' service
 208 #
 209 auth       required     /lib/security/pam_smbpass.so nodelay
 210 account    required     /lib/security/pam_pwdb.so audit nodelay
 211 session    required     /lib/security/pam_pwdb.so nodelay
 212 password   required     /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
 213 ></P
 214 ><P
 215 >Note: PAM allows stacking of authentication mechanisms. It is
 216 also possible to pass information obtained within on PAM module through
 217 to the next module in the PAM stack. Please refer to the documentation for
 218 your particular system implementation for details regarding the specific
 219 capabilities of PAM in this environment. Some Linux implmentations also
 220 provide the <TT
 221 CLASS="FILENAME"
 222 >pam_stack.so</TT
 223 > module that allows all
 224 authentication to be configured in a single central file. The
 225 <TT
 226 CLASS="FILENAME"
 227 >pam_stack.so</TT
 228 > method has some very devoted followers
 229 on the basis that it allows for easier administration. As with all issues in
 230 life though, every decision makes trade-offs, so you may want examine the
 231 PAM documentation for further helpful information.</P
 232 ></DIV
 233 ><DIV
 234 CLASS="SECT1"
 235 ><HR><H1
 236 CLASS="SECT1"
 237 ><A
 238 NAME="AEN45"
 239 >Distributed Authentication</A
 240 ></H1
 241 ><P
 242 >The astute administrator will realize from this that the
 243 combination of <TT
 244 CLASS="FILENAME"
 245 >pam_smbpass.so</TT
 246 >,
 247 <B
 248 CLASS="COMMAND"
 249 >winbindd</B
 250 >, and <B
 251 CLASS="COMMAND"
 252 >rsync</B
 253 > (see
 254 <A
 255 HREF="http://rsync.samba.org/"
 256 TARGET="_top"
 257 >http://rsync.samba.org/</A
 258 >)
 259 will allow the establishment of a centrally managed, distributed
 260 user/password database that can also be used by all
 261 PAM (eg: Linux) aware programs and applications. This arrangement
 262 can have particularly potent advantages compared with the
 263 use of Microsoft Active Directory Service (ADS) in so far as
 264 reduction of wide area network authentication traffic.</P
 265 ></DIV
 266 ><DIV
 267 CLASS="SECT1"
 268 ><HR><H1
 269 CLASS="SECT1"
 270 ><A
 271 NAME="AEN52"
 272 >PAM Configuration in smb.conf</A
 273 ></H1
 274 ><P
 275 >There is an option in smb.conf called <A
 276 HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
 277 TARGET="_top"
 278 >obey pam restrictions</A
 279 >.
 280 The following is from the on-line help for this option in SWAT;</P
 281 ><P
 282 >When Samba 2.2 is configure to enable PAM support (i.e.
 283 <TT
 284 CLASS="CONSTANT"
 285 >--with-pam</TT
 286 >), this parameter will
 287 control whether or not Samba should obey PAM's account
 288 and session management directives. The default behavior
 289 is to use PAM for clear text authentication only and to
 290 ignore any account or session management. Note that Samba always
 291 ignores PAM for authentication in the case of
 292 <A
 293 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
 294 TARGET="_top"
 295 >encrypt passwords = yes</A
 296 >.
 297 The reason is that PAM modules cannot support the challenge/response
 298 authentication mechanism needed in the presence of SMB
 299 password encryption. </P
 300 ><P
 301 >Default: <B
 302 CLASS="COMMAND"
 303 >obey pam restrictions = no</B
 304 ></P
 305 ></DIV
 306 ></DIV
 307 ></BODY
 308 ></HTML
 309 >