mirror of
https://github.com/samba-team/samba.git
synced 2025-01-15 23:24:37 +03:00
492 lines
11 KiB
HTML
492 lines
11 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>PAM Configuration for Centrally Managed Authentication</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="SAMBA Project Documentation"
|
|
HREF="samba-howto-collection.html"><LINK
|
|
REL="UP"
|
|
TITLE="Advanced Configuration"
|
|
HREF="optional.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Interdomain Trust Relationships"
|
|
HREF="interdomaintrusts.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Stackable VFS modules"
|
|
HREF="vfs.html"></HEAD
|
|
><BODY
|
|
CLASS="CHAPTER"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>SAMBA Project Documentation</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="interdomaintrusts.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="vfs.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="CHAPTER"
|
|
><H1
|
|
><A
|
|
NAME="PAM"
|
|
></A
|
|
>Chapter 19. PAM Configuration for Centrally Managed Authentication</H1
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="AEN3440"
|
|
>19.1. Samba and PAM</A
|
|
></H1
|
|
><P
|
|
>A number of Unix systems (eg: Sun Solaris), as well as the
|
|
xxxxBSD family and Linux, now utilize the Pluggable Authentication
|
|
Modules (PAM) facility to provide all authentication,
|
|
authorization and resource control services. Prior to the
|
|
introduction of PAM, a decision to use an alternative to
|
|
the system password database (<TT
|
|
CLASS="FILENAME"
|
|
>/etc/passwd</TT
|
|
>)
|
|
would require the provision of alternatives for all programs that provide
|
|
security services. Such a choice would involve provision of
|
|
alternatives to such programs as: <B
|
|
CLASS="COMMAND"
|
|
>login</B
|
|
>,
|
|
<B
|
|
CLASS="COMMAND"
|
|
>passwd</B
|
|
>, <B
|
|
CLASS="COMMAND"
|
|
>chown</B
|
|
>, etc.</P
|
|
><P
|
|
>PAM provides a mechanism that disconnects these security programs
|
|
from the underlying authentication/authorization infrastructure.
|
|
PAM is configured either through one file <TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.conf</TT
|
|
> (Solaris),
|
|
or by editing individual files that are located in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.d</TT
|
|
>.</P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="NOTE"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> If the PAM authentication module (loadable link library file) is located in the
|
|
default location then it is not necessary to specify the path. In the case of
|
|
Linux, the default location is <TT
|
|
CLASS="FILENAME"
|
|
>/lib/security</TT
|
|
>. If the module
|
|
is located other than default then the path may be specified as:
|
|
|
|
<PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> auth required /other_path/pam_strange_module.so
|
|
</PRE
|
|
>
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>The following is an example <TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.d/login</TT
|
|
> configuration file.
|
|
This example had all options been uncommented is probably not usable
|
|
as it stacks many conditions before allowing successful completion
|
|
of the login process. Essentially all conditions can be disabled
|
|
by commenting them out except the calls to <TT
|
|
CLASS="FILENAME"
|
|
>pam_pwdb.so</TT
|
|
>.</P
|
|
><P
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> #%PAM-1.0
|
|
# The PAM configuration file for the `login' service
|
|
#
|
|
auth required pam_securetty.so
|
|
auth required pam_nologin.so
|
|
# auth required pam_dialup.so
|
|
# auth optional pam_mail.so
|
|
auth required pam_pwdb.so shadow md5
|
|
# account requisite pam_time.so
|
|
account required pam_pwdb.so
|
|
session required pam_pwdb.so
|
|
# session optional pam_lastlog.so
|
|
# password required pam_cracklib.so retry=3
|
|
password required pam_pwdb.so shadow md5</PRE
|
|
></P
|
|
><P
|
|
>PAM allows use of replacable modules. Those available on a
|
|
sample system include:</P
|
|
><P
|
|
><SAMP
|
|
CLASS="PROMPT"
|
|
>$</SAMP
|
|
><KBD
|
|
CLASS="USERINPUT"
|
|
>/bin/ls /lib/security</KBD
|
|
>
|
|
<PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> pam_access.so pam_ftp.so pam_limits.so
|
|
pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
|
|
pam_cracklib.so pam_group.so pam_listfile.so
|
|
pam_nologin.so pam_rootok.so pam_tally.so
|
|
pam_deny.so pam_issue.so pam_mail.so
|
|
pam_permit.so pam_securetty.so pam_time.so
|
|
pam_dialup.so pam_lastlog.so pam_mkhomedir.so
|
|
pam_pwdb.so pam_shells.so pam_unix.so
|
|
pam_env.so pam_ldap.so pam_motd.so
|
|
pam_radius.so pam_smbpass.so pam_unix_acct.so
|
|
pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
|
|
pam_userdb.so pam_warn.so pam_unix_session.so</PRE
|
|
></P
|
|
><P
|
|
>The following example for the login program replaces the use of
|
|
the <TT
|
|
CLASS="FILENAME"
|
|
>pam_pwdb.so</TT
|
|
> module which uses the system
|
|
password database (<TT
|
|
CLASS="FILENAME"
|
|
>/etc/passwd</TT
|
|
>,
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/shadow</TT
|
|
>, <TT
|
|
CLASS="FILENAME"
|
|
>/etc/group</TT
|
|
>) with
|
|
the module <TT
|
|
CLASS="FILENAME"
|
|
>pam_smbpass.so</TT
|
|
> which uses the Samba
|
|
database which contains the Microsoft MD4 encrypted password
|
|
hashes. This database is stored in either
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/usr/local/samba/private/smbpasswd</TT
|
|
>,
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/samba/smbpasswd</TT
|
|
>, or in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/samba.d/smbpasswd</TT
|
|
>, depending on the
|
|
Samba implementation for your Unix/Linux system. The
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>pam_smbpass.so</TT
|
|
> module is provided by
|
|
Samba version 2.2.1 or later. It can be compiled by specifying the
|
|
<B
|
|
CLASS="COMMAND"
|
|
>--with-pam_smbpass</B
|
|
> options when running Samba's
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>configure</TT
|
|
> script. For more information
|
|
on the <TT
|
|
CLASS="FILENAME"
|
|
>pam_smbpass</TT
|
|
> module, see the documentation
|
|
in the <TT
|
|
CLASS="FILENAME"
|
|
>source/pam_smbpass</TT
|
|
> directory of the Samba
|
|
source distribution.</P
|
|
><P
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> #%PAM-1.0
|
|
# The PAM configuration file for the `login' service
|
|
#
|
|
auth required pam_smbpass.so nodelay
|
|
account required pam_smbpass.so nodelay
|
|
session required pam_smbpass.so nodelay
|
|
password required pam_smbpass.so nodelay</PRE
|
|
></P
|
|
><P
|
|
>The following is the PAM configuration file for a particular
|
|
Linux system. The default condition uses <TT
|
|
CLASS="FILENAME"
|
|
>pam_pwdb.so</TT
|
|
>.</P
|
|
><P
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> #%PAM-1.0
|
|
# The PAM configuration file for the `samba' service
|
|
#
|
|
auth required pam_pwdb.so nullok nodelay shadow audit
|
|
account required pam_pwdb.so audit nodelay
|
|
session required pam_pwdb.so nodelay
|
|
password required pam_pwdb.so shadow md5</PRE
|
|
></P
|
|
><P
|
|
>In the following example the decision has been made to use the
|
|
smbpasswd database even for basic samba authentication. Such a
|
|
decision could also be made for the passwd program and would
|
|
thus allow the smbpasswd passwords to be changed using the passwd
|
|
program.</P
|
|
><P
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> #%PAM-1.0
|
|
# The PAM configuration file for the `samba' service
|
|
#
|
|
auth required pam_smbpass.so nodelay
|
|
account required pam_pwdb.so audit nodelay
|
|
session required pam_pwdb.so nodelay
|
|
password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
|
|
></P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="NOTE"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>PAM allows stacking of authentication mechanisms. It is
|
|
also possible to pass information obtained within one PAM module through
|
|
to the next module in the PAM stack. Please refer to the documentation for
|
|
your particular system implementation for details regarding the specific
|
|
capabilities of PAM in this environment. Some Linux implmentations also
|
|
provide the <TT
|
|
CLASS="FILENAME"
|
|
>pam_stack.so</TT
|
|
> module that allows all
|
|
authentication to be configured in a single central file. The
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>pam_stack.so</TT
|
|
> method has some very devoted followers
|
|
on the basis that it allows for easier administration. As with all issues in
|
|
life though, every decision makes trade-offs, so you may want examine the
|
|
PAM documentation for further helpful information.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="AEN3491"
|
|
>19.2. Distributed Authentication</A
|
|
></H1
|
|
><P
|
|
>The astute administrator will realize from this that the
|
|
combination of <TT
|
|
CLASS="FILENAME"
|
|
>pam_smbpass.so</TT
|
|
>,
|
|
<B
|
|
CLASS="COMMAND"
|
|
>winbindd</B
|
|
>, and a distributed
|
|
passdb backend, such as ldap, will allow the establishment of a
|
|
centrally managed, distributed
|
|
user/password database that can also be used by all
|
|
PAM (eg: Linux) aware programs and applications. This arrangement
|
|
can have particularly potent advantages compared with the
|
|
use of Microsoft Active Directory Service (ADS) in so far as
|
|
reduction of wide area network authentication traffic.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="AEN3496"
|
|
>19.3. PAM Configuration in smb.conf</A
|
|
></H1
|
|
><P
|
|
>There is an option in smb.conf called <A
|
|
HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
|
|
TARGET="_top"
|
|
>obey pam restrictions</A
|
|
>.
|
|
The following is from the on-line help for this option in SWAT;</P
|
|
><P
|
|
>When Samba is configured to enable PAM support (i.e.
|
|
<CODE
|
|
CLASS="CONSTANT"
|
|
>--with-pam</CODE
|
|
>), this parameter will
|
|
control whether or not Samba should obey PAM's account
|
|
and session management directives. The default behavior
|
|
is to use PAM for clear text authentication only and to
|
|
ignore any account or session management. Note that Samba always
|
|
ignores PAM for authentication in the case of
|
|
<A
|
|
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
|
|
TARGET="_top"
|
|
>encrypt passwords = yes</A
|
|
>.
|
|
The reason is that PAM modules cannot support the challenge/response
|
|
authentication mechanism needed in the presence of SMB
|
|
password encryption. </P
|
|
><P
|
|
>Default: <B
|
|
CLASS="COMMAND"
|
|
>obey pam restrictions = no</B
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="interdomaintrusts.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="samba-howto-collection.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="vfs.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Interdomain Trust Relationships</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="optional.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Stackable VFS modules</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |