Ignore:
Timestamp:
Jun 24, 2009, 5:09:21 PM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.0 to 3.0.35

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.0/docs/htmldocs/Samba3-HOWTO/pam.html

    r158 r286  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.2"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 28. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id420232">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id420832">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id420883">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id421785">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id422055"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id422126">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id422214">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id422571">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id422581">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id422669">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p>
    2 <a class="indexterm" name="id420163"></a>
    3 <a class="indexterm" name="id420170"></a>
    4 <a class="indexterm" name="id420177"></a>
    5 <a class="indexterm" name="id420183"></a>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 28. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id2665155">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id2665786">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2665839">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id2666839">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667145">smb.conf PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667226">Remote CIFS Authentication Using winbindd.so</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667329">Password Synchronization Using pam_smbpass.so</a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id2667723">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2667734">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667832">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p>
     2<a class="indexterm" name="id2665079"></a>
     3<a class="indexterm" name="id2665086"></a>
     4<a class="indexterm" name="id2665093"></a>
     5<a class="indexterm" name="id2665099"></a>
    66This chapter should help you to deploy Winbind-based authentication on any PAM-enabled
    77UNIX/Linux system. Winbind can be used to enable user-level application access authentication
     
    1010controls that are appropriate to your Samba configuration.
    1111</p><p>
    12 <a class="indexterm" name="id420197"></a>
    13 <a class="indexterm" name="id420204"></a>
     12<a class="indexterm" name="id2665117"></a>
     13<a class="indexterm" name="id2665124"></a>
    1414In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management
    1515possibilities and in particular how to deploy tools like <code class="filename">pam_smbpass.so</code> to your advantage.
     
    1717The use of Winbind requires more than PAM configuration alone.
    1818Please refer to <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for further information regarding Winbind.
    19 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id420232"></a>Features and Benefits</h2></div></div></div><p>
    20 <a class="indexterm" name="id420239"></a>
    21 <a class="indexterm" name="id420246"></a>
    22 <a class="indexterm" name="id420253"></a>
    23 <a class="indexterm" name="id420260"></a>
    24 <a class="indexterm" name="id420269"></a>
    25 <a class="indexterm" name="id420276"></a>
    26 <a class="indexterm" name="id420282"></a>
    27 <a class="indexterm" name="id420289"></a>
     19</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2665155"></a>Features and Benefits</h2></div></div></div><p>
     20<a class="indexterm" name="id2665163"></a>
     21<a class="indexterm" name="id2665170"></a>
     22<a class="indexterm" name="id2665176"></a>
     23<a class="indexterm" name="id2665183"></a>
     24<a class="indexterm" name="id2665192"></a>
     25<a class="indexterm" name="id2665199"></a>
     26<a class="indexterm" name="id2665206"></a>
     27<a class="indexterm" name="id2665213"></a>
    2828A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
    2929now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
     
    3434<code class="literal">passwd</code>, <code class="literal">chown</code>, and so on.
    3535</p><p>
    36 <a class="indexterm" name="id420327"></a>
    37 <a class="indexterm" name="id420333"></a>
    38 <a class="indexterm" name="id420340"></a>
    39 <a class="indexterm" name="id420347"></a>
     36<a class="indexterm" name="id2665255"></a>
     37<a class="indexterm" name="id2665261"></a>
     38<a class="indexterm" name="id2665268"></a>
     39<a class="indexterm" name="id2665275"></a>
    4040PAM provides a mechanism that disconnects these security programs from the underlying
    4141authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file,
     
    4343located in <code class="filename">/etc/pam.d</code>.
    4444</p><p>
    45 <a class="indexterm" name="id420371"></a>
    46 <a class="indexterm" name="id420378"></a>
     45<a class="indexterm" name="id2665301"></a>
     46<a class="indexterm" name="id2665308"></a>
    4747On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any
    4848authentication backend so long as the appropriate dynamically loadable library modules
     
    5252PAM support modules are available for:
    5353</p><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/passwd</code></span></dt><dd><p>
    54 <a class="indexterm" name="id420405"></a>
    55 <a class="indexterm" name="id420412"></a>
    56 <a class="indexterm" name="id420419"></a>
    57 <a class="indexterm" name="id420426"></a>
    58 <a class="indexterm" name="id420432"></a>
    59 <a class="indexterm" name="id420439"></a>
     54<a class="indexterm" name="id2665339"></a>
     55<a class="indexterm" name="id2665345"></a>
     56<a class="indexterm" name="id2665352"></a>
     57<a class="indexterm" name="id2665359"></a>
     58<a class="indexterm" name="id2665366"></a>
     59<a class="indexterm" name="id2665373"></a>
    6060                There are several PAM modules that interact with this standard UNIX user database. The most common are called
    6161                <code class="filename">pam_unix.so</code>, <code class="filename">pam_unix2.so</code>, <code class="filename">pam_pwdb.so</code> and
    6262                <code class="filename">pam_userdb.so</code>.
    6363                </p></dd><dt><span class="term">Kerberos</span></dt><dd><p>
    64 <a class="indexterm" name="id420480"></a>
    65 <a class="indexterm" name="id420487"></a>
    66 <a class="indexterm" name="id420494"></a>
    67 <a class="indexterm" name="id420501"></a>
    68 <a class="indexterm" name="id420508"></a>
     64<a class="indexterm" name="id2665415"></a>
     65<a class="indexterm" name="id2665422"></a>
     66<a class="indexterm" name="id2665429"></a>
     67<a class="indexterm" name="id2665436"></a>
     68<a class="indexterm" name="id2665443"></a>
    6969                The <code class="filename">pam_krb5.so</code> module allows the use of any Kerberos-compliant server.
    7070                This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
    7171                Microsoft Active Directory (if enabled).
    7272                </p></dd><dt><span class="term">LDAP</span></dt><dd><p>
    73 <a class="indexterm" name="id420532"></a>
    74 <a class="indexterm" name="id420538"></a>
    75 <a class="indexterm" name="id420545"></a>
    76 <a class="indexterm" name="id420552"></a>
    77 <a class="indexterm" name="id420559"></a>
    78 <a class="indexterm" name="id420566"></a>
     73<a class="indexterm" name="id2665468"></a>
     74<a class="indexterm" name="id2665475"></a>
     75<a class="indexterm" name="id2665482"></a>
     76<a class="indexterm" name="id2665489"></a>
     77<a class="indexterm" name="id2665496"></a>
     78<a class="indexterm" name="id2665503"></a>
    7979                The <code class="filename">pam_ldap.so</code> module allows the use of any LDAP v2- or v3-compatible backend
    8080                server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1,
    8181                Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory.
    8282                </p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p>
    83 <a class="indexterm" name="id420590"></a>
    84 <a class="indexterm" name="id420597"></a>
    85 <a class="indexterm" name="id420604"></a>
    86 <a class="indexterm" name="id420611"></a>
     83<a class="indexterm" name="id2665530"></a>
     84<a class="indexterm" name="id2665537"></a>
     85<a class="indexterm" name="id2665544"></a>
     86<a class="indexterm" name="id2665551"></a>
    8787                The <code class="filename">pam_ncp_auth.so</code> module allows authentication off any bindery-enabled
    8888                NetWare Core Protocol-based server.
    8989                </p></dd><dt><span class="term">SMB Password</span></dt><dd><p>
    90 <a class="indexterm" name="id420635"></a>
    91 <a class="indexterm" name="id420641"></a>
    92 <a class="indexterm" name="id420648"></a>
     90<a class="indexterm" name="id2665576"></a>
     91<a class="indexterm" name="id2665583"></a>
     92<a class="indexterm" name="id2665590"></a>
    9393                This module, called <code class="filename">pam_smbpass.so</code>, allows user authentication of
    9494                the passdb backend that is configured in the Samba <code class="filename">smb.conf</code> file.
    9595                </p></dd><dt><span class="term">SMB Server</span></dt><dd><p>
    96 <a class="indexterm" name="id420678"></a>
    97 <a class="indexterm" name="id420684"></a>
     96<a class="indexterm" name="id2665620"></a>
     97<a class="indexterm" name="id2665627"></a>
    9898                The <code class="filename">pam_smb_auth.so</code> module is the original MS Windows networking authentication
    9999                tool. This module has been somewhat outdated by the Winbind module.
    100100                </p></dd><dt><span class="term">Winbind</span></dt><dd><p>
    101 <a class="indexterm" name="id420708"></a>
    102 <a class="indexterm" name="id420715"></a>
    103 <a class="indexterm" name="id420722"></a>
    104 <a class="indexterm" name="id420729"></a>
     101<a class="indexterm" name="id2665652"></a>
     102<a class="indexterm" name="id2665659"></a>
     103<a class="indexterm" name="id2665666"></a>
     104<a class="indexterm" name="id2665673"></a>
    105105                The <code class="filename">pam_winbind.so</code> module allows Samba to obtain authentication from any
    106106                MS Windows domain controller. It can just as easily be used to authenticate
    107107                users for access to any PAM-enabled application.
    108108                </p></dd><dt><span class="term">RADIUS</span></dt><dd><p>
    109 <a class="indexterm" name="id420753"></a>
     109<a class="indexterm" name="id2665699"></a>
    110110                There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
    111111                module. In most cases, administrators need to locate the source code
     
    113113                used by many routers and terminal servers.
    114114                </p></dd></dl></div><p>
    115 <a class="indexterm" name="id420770"></a>
    116 <a class="indexterm" name="id420777"></a>
     115<a class="indexterm" name="id2665719"></a>
     116<a class="indexterm" name="id2665726"></a>
    117117Of the modules listed, Samba provides the <code class="filename">pam_smbpasswd.so</code> and the
    118118<code class="filename">pam_winbind.so</code> modules alone.
    119119</p><p>
    120 <a class="indexterm" name="id420800"></a>
    121 <a class="indexterm" name="id420806"></a>
    122 <a class="indexterm" name="id420813"></a>
    123 <a class="indexterm" name="id420820"></a>
     120<a class="indexterm" name="id2665749"></a>
     121<a class="indexterm" name="id2665756"></a>
     122<a class="indexterm" name="id2665763"></a>
     123<a class="indexterm" name="id2665770"></a>
    124124Once configured, these permit a remarkable level of flexibility in the location and use
    125125of distributed Samba domain controllers that can provide wide-area network bandwidth,
     
    127127deployment of centrally managed and maintained distributed authentication from a
    128128single-user account database.
    129 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id420832"></a>Technical Discussion</h2></div></div></div><p>
    130 <a class="indexterm" name="id420840"></a>
    131 <a class="indexterm" name="id420847"></a>
    132 <a class="indexterm" name="id420854"></a>
    133 <a class="indexterm" name="id420860"></a>
     129</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2665786"></a>Technical Discussion</h2></div></div></div><p>
     130<a class="indexterm" name="id2665794"></a>
     131<a class="indexterm" name="id2665800"></a>
     132<a class="indexterm" name="id2665807"></a>
     133<a class="indexterm" name="id2665814"></a>
    134134PAM is designed to provide system administrators with a great deal of flexibility in
    135135configuration of the privilege-granting applications of their system. The local
     
    137137either the single system file <code class="filename">/etc/pam.conf</code> or the
    138138<code class="filename">/etc/pam.d/</code> directory.
    139 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id420883"></a>PAM Configuration Syntax</h3></div></div></div><p>
    140 <a class="indexterm" name="id420891"></a>
    141 <a class="indexterm" name="id420897"></a>
     139</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2665839"></a>PAM Configuration Syntax</h3></div></div></div><p>
     140<a class="indexterm" name="id2665847"></a>
     141<a class="indexterm" name="id2665854"></a>
    142142In this section we discuss the correct syntax of and generic options respected by entries to these files.
    143143PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case
     
    149149module specification lines may be extended with a &#8220;<span class="quote">\</span>&#8221;-escaped newline.
    150150</p><p>
    151 <a class="indexterm" name="id420923"></a>
    152 <a class="indexterm" name="id420930"></a>
     151<a class="indexterm" name="id2665886"></a>
     152<a class="indexterm" name="id2665893"></a>
    153153If the PAM authentication module (loadable link library file) is located in the
    154154default location, then it is not necessary to specify the path. In the case of
     
    158158auth  required  /other_path/pam_strange_module.so
    159159</pre><p>
    160 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id420952"></a>Anatomy of <code class="filename">/etc/pam.d</code> Entries</h4></div></div></div><p>
     160</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2665918"></a>Anatomy of <code class="filename">/etc/pam.d</code> Entries</h4></div></div></div><p>
    161161The remaining information in this subsection was taken from the documentation of the Linux-PAM
    162162project. For more information on PAM, see
    163163<a class="ulink" href="http://ftp.kernel.org/pub/linux/libs/pam/" target="_top">the Official Linux-PAM home page</a>.
    164164</p><p>
    165 <a class="indexterm" name="id420977"></a>
     165<a class="indexterm" name="id2665944"></a>
    166166A general configuration line of the <code class="filename">/etc/pam.conf</code> file has the following form:
    167167</p><pre class="programlisting">
     
    173173Once we have explained the meaning of the tokens, we describe this method.
    174174</p><div class="variablelist"><dl><dt><span class="term">service-name</span></dt><dd><p>
    175 <a class="indexterm" name="id421018"></a>
    176 <a class="indexterm" name="id421025"></a>
    177 <a class="indexterm" name="id421032"></a>
     175<a class="indexterm" name="id2665989"></a>
     176<a class="indexterm" name="id2665996"></a>
     177<a class="indexterm" name="id2666003"></a>
    178178                The name of the service associated with this entry. Frequently, the service-name is the conventional
    179179                name of the given application  for example, <code class="literal">ftpd</code>, <code class="literal">rlogind</code> and
     
    187187                One of (currently) four types of module. The four types are as follows:
    188188                </p><div class="itemizedlist"><ul type="disc"><li><p>
    189 <a class="indexterm" name="id421096"></a>
    190 <a class="indexterm" name="id421102"></a>
     189<a class="indexterm" name="id2666071"></a>
     190<a class="indexterm" name="id2666078"></a>
    191191                        <em class="parameter"><code>auth:</code></em> This module type provides two aspects of authenticating the user.
    192192                        It establishes that the user is who he or she claims to be by instructing the application
     
    195195                        or other privileges through its credential-granting properties.
    196196                        </p></li><li><p>
    197 <a class="indexterm" name="id421128"></a>
    198 <a class="indexterm" name="id421135"></a>
     197<a class="indexterm" name="id2666107"></a>
     198<a class="indexterm" name="id2666114"></a>
    199199                        <em class="parameter"><code>account:</code></em> This module performs non-authentication-based account management.
    200200                        It is typically used to restrict/permit access to a service based on the time of day, currently
     
    202202                        login. For example, the &#8220;<span class="quote">root</span>&#8221; login may be permitted only on the console.
    203203                        </p></li><li><p>
    204 <a class="indexterm" name="id421159"></a>
     204<a class="indexterm" name="id2666140"></a>
    205205                        <em class="parameter"><code>session:</code></em> Primarily, this module is associated with doing things that need
    206206                        to be done for the user before and after he or she can be given service. Such things include logging
     
    208208                        directories, and so on.
    209209                        </p></li><li><p>
    210 <a class="indexterm" name="id421178"></a>
     210<a class="indexterm" name="id2666162"></a>
    211211                        <em class="parameter"><code>password:</code></em> This last module type is required for updating the authentication
    212212                        token associated with the user. Typically, there is one module for each
     
    222222                As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes.
    223223                </p><p>
    224 <a class="indexterm" name="id421235"></a>
    225 <a class="indexterm" name="id421242"></a>
    226 <a class="indexterm" name="id421248"></a>
    227 <a class="indexterm" name="id421255"></a>
     224<a class="indexterm" name="id2666227"></a>
     225<a class="indexterm" name="id2666234"></a>
     226<a class="indexterm" name="id2666240"></a>
     227<a class="indexterm" name="id2666247"></a>
    228228                The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
    229229                severity of concern associated with the success or failure of a specific module. There are four such
     
    351351                side of caution) to make the authentication process fail. A corresponding error is written to the system log files
    352352                with a call to syslog(3).
    353                 </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id421785"></a>Example System Configurations</h3></div></div></div><p>
     353                </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2666839"></a>Example System Configurations</h3></div></div></div><p>
    354354The following is an example <code class="filename">/etc/pam.d/login</code> configuration file.
    355355This example had all options uncommented and is probably not usable
     
    357357of the login process. Essentially, all conditions can be disabled
    358358by commenting them out, except the calls to <code class="filename">pam_pwdb.so</code>.
    359 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421808"></a>PAM: Original Login Config</h4></div></div></div><p>
     359</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2666865"></a>PAM: Original Login Config</h4></div></div></div><p>
    360360        </p><pre class="programlisting">
    361361#%PAM-1.0
     
    374374password     required    pam_pwdb.so shadow md5
    375375</pre><p>
    376 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id421832"></a>PAM: Login Using <code class="filename">pam_smbpass</code></h4></div></div></div><p>
     376</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2666893"></a>PAM: Login Using <code class="filename">pam_smbpass</code></h4></div></div></div><p>
    377377PAM allows use of replaceable modules. Those available on a sample system include:
    378378</p><p><code class="prompt">$</code><strong class="userinput"><code>/bin/ls /lib/security</code></strong>
     
    457457life, though, every decision has trade-offs, so you may want to examine the
    458458PAM documentation for further helpful information.
    459 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422055"></a><code class="filename">smb.conf</code> PAM Configuration</h3></div></div></div><p>
    460 There is an option in <code class="filename">smb.conf</code> called <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS">obey pam restrictions</a>.
     459</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2667145"></a><code class="filename">smb.conf</code> PAM Configuration</h3></div></div></div><p>
     460There is an option in <code class="filename">smb.conf</code> called <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS" target="_top">obey pam restrictions</a>.
    461461The following is from the online help for this option in SWAT:
    462462</p><div class="blockquote"><blockquote class="blockquote"><p>
     
    464464control whether or not Samba should obey PAM's account and session management directives. The default behavior
    465465is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always
    466 ignores PAM for authentication in the case of <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords = yes</a>.
     466ignores PAM for authentication in the case of <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = yes</a>.
    467467The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB
    468468password encryption.
    469 </p><p>Default: <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS">obey pam restrictions = no</a></p></blockquote></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422126"></a>Remote CIFS Authentication Using <code class="filename">winbindd.so</code></h3></div></div></div><p>
     469</p><p>Default: <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS" target="_top">obey pam restrictions = no</a></p></blockquote></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2667226"></a>Remote CIFS Authentication Using <code class="filename">winbindd.so</code></h3></div></div></div><p>
    470470All operating systems depend on the provision of user credentials acceptable to the platform.
    471471UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID).
     
    485485</p><p>
    486486The astute administrator will realize from this that the combination of <code class="filename">pam_smbpass.so</code>,
    487 <code class="literal">winbindd</code>, and a distributed <a class="link" href="smb.conf.5.html#PASSDBBACKEND">passdb backend</a>
     487<code class="literal">winbindd</code>, and a distributed <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>
    488488such as <em class="parameter"><code>ldap</code></em> will allow the establishment of a centrally managed, distributed user/password
    489489database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have
     
    494494stored by <code class="literal">winbindd</code>. If this file is deleted or corrupted, there is no way for <code class="literal">winbindd</code>
    495495to determine which user and group IDs correspond to Windows NT user and group RIDs.
    496 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422214"></a>Password Synchronization Using <code class="filename">pam_smbpass.so</code></h3></div></div></div><p>
     496</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2667329"></a>Password Synchronization Using <code class="filename">pam_smbpass.so</code></h3></div></div></div><p>
    497497<code class="filename">pam_smbpass</code> is a PAM module that can be used on conforming systems to
    498498keep the <code class="filename">smbpasswd</code> (Samba password) database in sync with the UNIX
     
    512512<code class="filename">/etc/pam.d/</code> files structure. Those wishing to implement this
    513513tool on other platforms will need to adapt this appropriately.
    514 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id422418"></a>Password Synchronization Configuration</h4></div></div></div><p>
     514</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2667548"></a>Password Synchronization Configuration</h4></div></div></div><p>
    515515The following is a sample PAM configuration that shows the use of pam_smbpass to make
    516516sure <code class="filename">private/smbpasswd</code> is kept in sync when <code class="filename">/etc/passwd (/etc/shadow)</code>
     
    529529password   required     pam_smbpass.so nullok use_authtok try_first_pass
    530530session    required     pam_unix.so
    531 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id422458"></a>Password Migration Configuration</h4></div></div></div><p>
     531</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2667594"></a>Password Migration Configuration</h4></div></div></div><p>
    532532The following PAM configuration shows the use of <code class="filename">pam_smbpass</code> to migrate
    533533from plaintext to encrypted passwords for Samba. Unlike other methods,
     
    549549password   optional    pam_smbpass.so nullok use_authtok try_first_pass
    550550session    required    pam_unix.so
    551 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id422500"></a>Mature Password Configuration</h4></div></div></div><p>
     551</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2667642"></a>Mature Password Configuration</h4></div></div></div><p>
    552552The following is a sample PAM configuration for a mature <code class="filename">smbpasswd</code> installation.
    553553<code class="filename">private/smbpasswd</code> is fully populated, and we consider it an error if
     
    565565password   required     pam_smbpass.so use_authtok use_first_pass
    566566session    required     pam_unix.so
    567 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id422534"></a>Kerberos Password Integration Configuration</h4></div></div></div><p>
     567</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2667682"></a>Kerberos Password Integration Configuration</h4></div></div></div><p>
    568568The following is a sample PAM configuration that shows <em class="parameter"><code>pam_smbpass</code></em> used together with
    569569<em class="parameter"><code>pam_krb5</code></em>. This could be useful on a Samba PDC that is also a member of
     
    582582password   required    pam_krb5.so use_authtok try_first_pass
    583583session    required    pam_krb5.so
    584 </pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422571"></a>Common Errors</h2></div></div></div><p>
     584</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2667723"></a>Common Errors</h2></div></div></div><p>
    585585PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from
    586586the Samba mailing list.
    587 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422581"></a>pam_winbind Problem</h3></div></div></div><p>
     587</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2667734"></a>pam_winbind Problem</h3></div></div></div><p>
    588588        A user reported, <span class="emphasis"><em>I have the following PAM configuration</em></span>:
    589589        </p><p>
     
    609609        <code class="filename">/etc/pam.d/login</code> file. Alternatively, if you want all services to use
    610610        Winbind, you can put the Winbind-specific stuff in <code class="filename">/etc/pam.d/system-auth</code>.
    611         </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id422669"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p>
     611        </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2667832"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p>
    612612        &#8220;<span class="quote">
    613613        My <code class="filename">smb.conf</code> file is correctly configured. I have specified
    614         <a class="link" href="smb.conf.5.html#IDMAPUID">idmap uid = 12000</a>
    615         and <a class="link" href="smb.conf.5.html#IDMAPGID">idmap gid = 3000-3500,</a>
     614        <a class="link" href="smb.conf.5.html#IDMAPUID" target="_top">idmap uid = 12000</a>
     615        and <a class="link" href="smb.conf.5.html#IDMAPGID" target="_top">idmap gid = 3000-3500,</a>
    616616        and <code class="literal">winbind</code> is running. When I do the following it all works fine.
    617617        </span>&#8221;
Note: See TracChangeset for help on using the changeset viewer.