Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Jul 2003 10:15:22 +0100
From:      Scott Mitchell <scott+freebsd@fishballoon.org>
To:        Roger Merritt <mcrogerm@stjohn.ac.th>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Samba passwords
Message-ID:  <20030701091522.GA12367@tuatara.fishballoon.org>
In-Reply-To: <5.2.0.9.0.20030701125515.00a0cec0@127.0.0.1>
References:  <20030701044822.L645@small.pukruppa.de> <20030701002557.GB17249@kongemord.krig.net> <20030701044822.L645@small.pukruppa.de> <5.2.0.9.0.20030701125515.00a0cec0@127.0.0.1>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 01, 2003 at 01:05:30PM +0700, Roger Merritt wrote:
> I don't know how helpful this will be, because I didn't follow through on 
> it, but among the docfiles is one that talks about modifying /etc/pam.conf 
> so that for certain categories of login pam uses the smbpasswd program to 
> authenticate. It seems NT/Win2K/etc. use a cryptographic protocol that's 
> inconsistent with the rest of the world (setting the industry standard ;-) 
> ). Ah, take a look at 
> /usr/local/share/doc/samba/htmldocs/PAM-Authentication-And-Samba.html. I 
> found it hard to understand and the pam man page even worse.
> 
> I played with it once because I was getting so many pam authencication 
> errors, but I got scared and in the next upgrade I just overwrote my edited 
> pam.conf with the vanilla distribution one and dropped back to plain-text 
> passwords. I'm still using Win98, too.

It is possible to use pam_smbpass to have login, sshd, etc. authenticate
against the SMB password database instead of /etc/passwd.  For the 'login'
service, for instance, you'd replace the /etc/pam.conf line:

login	auth	required	pam_unix.so		try_first_pass

with

login	auth	required	pam_smbpass.so		try_first_pass

(you might need to use the full path to pam_smbpass.so, depending where you
installed it.)

Repeat as necessary for the other services in /etc/pam.conf.  Of course
this only works if you're not also sharing your UNIX password file out over
NIS, and there's no doubt still some non-PAMified services around that will
still look in /etc/passwd.  There's some other third-party modules around
somewhere (pam_smb and pam_ntdom, I think) that will authenticate against a
remote SMB server, so you could I suppose deploy Samba everywhere and use
this instead of NIS... Also, I think you'll still need UNIX accounts to
match your Samba accounts, even though they might have no passwords (Samba
needs them to map usernames to UIDs).

On the other hand, I wouldn't bother trying to use PAM on 4.x to keep
separate UNIX and SMB password files synchronised: pam_unix.so doesn't know
how to do password updates, so you can't use it to sync from SMB -> UNIX,
and the 'passwd' program isn't PAMified, so you can't use it to sync UNIX
-> SMB.  I believe both of these issues are fixed in 5.x, though.  Password
syncing from SMB -> UNIX does work if you forget PAM and just provide a
'password chat' script so Samba can invoke passwd directly.  This is what
I'm doing -- as long as people remember to use 'smbpasswd' to change
passwords, the UNIX password file gets updated as well and my NIS clients
see the change as well.  Merging everything into one central authentication
database can wait until 5.x gets deployed on the servers :)

Hope that's all useful to somebody...

	Scott

-- 
===========================================================================
Scott Mitchell           | PGP Key ID | "Eagles may soar, but weasels
Cambridge, England       | 0x54B171B9 |  don't get sucked into jet engines"
scott at fishballoon.org | 0xAA775B8B |      -- Anon



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030701091522.GA12367>