Date: Mon, 15 Apr 2002 18:22:06 EST From: Andrea Venturoli <ml.ventu@flashnet.it> To: freebsd-questions@FreeBSD.ORG Subject: pam_smb with FreeBSD? Message-ID: <200204151823.g3FINSB04560@smtp2.flashnet.it>
next in thread | raw e-mail | index | archive | help
** Reply to note from Peter <sleepy_nuggets@yahoo.com> Mon, 15 Apr 2002 01:52:56 -0700 (PDT) > I can't seem to get it working. I've even tried the > lines provided in the faq (additions.txt), regarding > pam.conf as opposed to pam.d/* but it doesn't work. > Anyone have a working conf? > > thanks, Works fine for me. Here is my /etc/pam.conf: # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD: src/etc/pam.conf,v 1.6.2.13 2001/12/19 16:47:46 sobomax Exp $ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. #login auth sufficient pam_skey.so login auth sufficient /usr/local/lib/pam_smb_auth.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass login auth required pam_unix.so try_first_pass login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so # Same requirement for ftpd as login ftpd auth sufficient pam_skey.so ftpd auth requisite pam_cleartext_pass_ok.so #ftpd auth sufficient pam_kerberosIV.so try_first_pass ftpd auth required pam_unix.so try_first_pass # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd auth required pam_unix.so try_first_pass # Don't break startx xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm auth required pam_unix.so #xdm auth sufficient pam_kerberosIV.so try_first_pass xdm account required pam_unix.so try_first_pass xdm session required pam_deny.so xdm password required pam_deny.so # GDM (GNOME Display Manager) gdm auth required pam_unix.so #gdm auth sufficient pam_kerberosIV.so try_first_pass gdm account required pam_unix.so try_first_pass gdm session required pam_permit.so gdm password required pam_deny.so # Mail services imap auth required pam_unix.so try_first_pass pop3 auth required pam_unix.so try_first_pass # Apache httpd auth required /usr/local/lib/pam_smb_auth.so httpd account required pam_unix.so # If we don't match anything else, default to using getpwnam(). other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass The only caveat here is that for httpd I had to rebuild from sources with --disable-root-only. What's exactly your problem? bye av. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204151823.g3FINSB04560>