From owner-freebsd-net@FreeBSD.ORG Mon Feb 27 18:12:58 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52DB51065670 for ; Mon, 27 Feb 2012 18:12:58 +0000 (UTC) (envelope-from kdunn@acm.org) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) by mx1.freebsd.org (Postfix) with ESMTP id 169358FC23 for ; Mon, 27 Feb 2012 18:12:57 +0000 (UTC) Received: from fly.hiwaay.net (localhost.localdomain [127.0.0.1]) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id q1RI01cM032737 for ; Mon, 27 Feb 2012 12:00:02 -0600 Received: from localhost (kldunn@localhost) by fly.hiwaay.net (8.13.8/8.13.8/fly-submit) with ESMTP id q1RI014n032717 for ; Mon, 27 Feb 2012 12:00:01 -0600 X-Authentication-Warning: fly.hiwaay.net: kldunn owned process doing -bs Date: Mon, 27 Feb 2012 12:00:01 -0600 (CST) From: Karl Dunn X-X-Sender: kldunn@fly.hiwaay.net To: freebsd-net@freebsd.org Message-ID: User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: mpd5 extauth-script uses smbpasswd/passdb.tdb NTLM hash X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Karl Dunn List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2012 18:12:58 -0000 I maintain a FreeBSD 8.1 server that runs mpd-5.5 and Samba 3.3.13 behind a firewall (also a FreeBSD box). The Windows (XP, Vista, 7) users need to be able to change their passwords regularly, with VPN passwords updated too. Samba is the Windows domain controller, and the Windows clients all are domain members, so the Samba password database gets updated when a user changes his/her password. This script causes mpd5 to authenticate users using the NTLM hash in the Samba password database: -------------------------------------------------------------------- #!/bin/sh # @(#)mpd_auth.sh 2012-Feb-20 KLD # extauth-script for mpd5 # Header for the log echo >> /var/log/mpd_auth.log date >> /var/log/mpd_auth.log # Should have one arg: the user ID if [ $# -ne 1 ]; then # Wrong number of args echo RESULT:FAIL else # Look up user's password hash in Samba password database user_id="$1" nt_hash=`/usr/local/bin/pdbedit -wu "${user_id}" 2>/dev/null | \ /usr/bin/awk '{ FS=":"; print $4; next }'` if [ "x${nt_hash}" = "x" ]; then # User ID not in Samba password database echo RESULT:FAIL else # Tell mpd5 the NT hash of the password echo "USER_NT_HASH:${nt_hash}" # Tell mpd5 to use the hash to verify the user echo RESULT:UNDEF fi fi # Give mpd5 a blank line (may not be necessary) echo # Show mpd5 output to this script in the log cat - >> /var/log/mpd_auth.log exit 0 -------------------------------------------------------------------- The pertinent lines in /usr/local/etc/mpd5/mpd.conf: -------------------------------------------------------------------- set auth extauth-script /usr/local/etc/mpd5/mpd_auth.sh set auth enable ext-auth set auth disable internal -------------------------------------------------------------------- Karl Dunn kdunn@acm.org