Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Feb 2012 12:00:01 -0600 (CST)
From:      Karl Dunn <kdunn@acm.org>
To:        freebsd-net@freebsd.org
Subject:   mpd5 extauth-script uses smbpasswd/passdb.tdb NTLM hash
Message-ID:  <alpine.LRH.2.02.1202271144020.11011@fly.hiwaay.net>
next in thread | raw e-mail | index | archive | help 
I maintain a FreeBSD 8.1 server that runs mpd-5.5 and Samba 3.3.13 behind 
a firewall (also a FreeBSD box).

The Windows (XP, Vista, 7) users need to be able to change their passwords 
regularly, with VPN passwords updated too.  Samba is the Windows domain 
controller, and the Windows clients all are domain members, so the Samba 
password database gets updated when a user changes his/her password.

This script causes mpd5 to authenticate users using the NTLM hash in the 
Samba password database:

  --------------------------------------------------------------------
   #!/bin/sh
   # @(#)mpd_auth.sh 2012-Feb-20 KLD
   # extauth-script for mpd5

   # Header for the log
   echo >> /var/log/mpd_auth.log
   date >> /var/log/mpd_auth.log
   # Should have one arg: the user ID
   if [ $# -ne 1 ]; then
     # Wrong number of args
     echo RESULT:FAIL
   else
     # Look up user's password hash in Samba password database
     user_id="$1"
     nt_hash=`/usr/local/bin/pdbedit -wu "${user_id}" 2>/dev/null | \
       /usr/bin/awk '{ FS=":"; print $4; next }'`
     if [ "x${nt_hash}" = "x" ]; then
       # User ID not in Samba password database
       echo RESULT:FAIL
     else
       # Tell mpd5 the NT hash of the password
       echo "USER_NT_HASH:${nt_hash}"
       # Tell mpd5 to use the hash to verify the user
       echo RESULT:UNDEF
     fi
   fi
   # Give mpd5 a blank line (may not be necessary)
   echo
   # Show mpd5 output to this script in the log
   cat - >> /var/log/mpd_auth.log
   exit 0
  --------------------------------------------------------------------

The pertinent lines in /usr/local/etc/mpd5/mpd.conf:

  --------------------------------------------------------------------
         set auth extauth-script /usr/local/etc/mpd5/mpd_auth.sh
         set auth enable ext-auth
         set auth disable internal
  --------------------------------------------------------------------

Karl Dunn
kdunn@acm.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LRH.2.02.1202271144020.11011>