Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Password Synchronization Using pam_smbpass.so

pam_smbpass is a PAM module that can be used on conforming systems to keep the smbpasswd (Samba password) database in sync with the UNIX password file. PAM is an API supported under some UNIX operating systems, such as Solaris, HPUX, and Linux, that provides a generic interface to authentication mechanisms.

This module authenticates a local smbpasswd user database. If you require support for authenticating against a remote SMB server, or if you are concerned about the presence of SUID root binaries on your system, it is recommended that you use pam_winbind instead.

Options recognized by this module are shown in next table.

Table27.1.Options recognized by pam_smbpass

debug Log more debugging info.
audit Like debug, but also logs unknown usernames.
use_first_pass Do not prompt the user for passwords; take them from PAM_ items instead.
try_first_pass Try to get the password from a previous PAM module; fall back to prompting the user.
use_authtok Like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).
not_set_pass Do not make passwords used by this module available to other modules.
nodelay dDo not insert ~1-second delays on authentication failure.
nullok Null passwords are allowed.
nonull Null passwords are not allowed. Used to override the Samba configuration.
migrate Only meaningful in an “auth” context; used to update smbpasswd file with a password used for successful authentication.
smbconf= file Specify an alternate path to the smb.conf file.

The following are examples of the use of pam_smbpass.so in the format of the Linux /etc/pam.d/ files structure. Those wishing to implement this tool on other platforms will need to adapt this appropriately.

Password Synchronization Configuration

The following is a sample PAM configuration that shows the use of pam_smbpass to make sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) is changed. It is useful when an expired password might be changed by an application (such as ssh ). 

#%PAM-1.0
# password-sync
#
auth       requisite    pam_nologin.so
auth       required     pam_unix.so
account    required     pam_unix.so
password   requisite    pam_cracklib.so retry=3
password   requisite    pam_unix.so shadow md5 use_authtok try_first_pass
password   required     pam_smbpass.so nullok use_authtok try_first_pass
session    required     pam_unix.so

Password Migration Configuration

The following PAM configuration shows the use of pam_smbpass to migrate from plaintext to encrypted passwords for Samba. Unlike other methods, this can be used for users who have never connected to Samba shares: password migration takes place when users ftp in, login using ssh , pop their mail, and so on. 

#%PAM-1.0
# password-migration
#
auth       requisite   pam_nologin.so
# pam_smbpass is called IF pam_unix succeeds.
auth       requisite   pam_unix.so
auth       optional    pam_smbpass.so migrate
account    required    pam_unix.so
password   requisite   pam_cracklib.so retry=3
password   requisite   pam_unix.so shadow md5 use_authtok try_first_pass
password   optional    pam_smbpass.so nullok use_authtok try_first_pass
session    required    pam_unix.so

Mature Password Configuration

The following is a sample PAM configuration for a mature smbpasswd installation. private/smbpasswd is fully populated, and we consider it an error if the SMB password does not exist or does not match the UNIX password. 

#%PAM-1.0
# password-mature
#
auth       requisite    pam_nologin.so
auth       required     pam_unix.so
account    required     pam_unix.so
password   requisite    pam_cracklib.so retry=3
password   requisite    pam_unix.so shadow md5 use_authtok try_first_pass
password   required     pam_smbpass.so use_authtok use_first_pass
session    required     pam_unix.so

Kerberos Password Integration Configuration

The following is a sample PAM configuration that shows pam_smbpass used together with pam_krb5 . This could be useful on a Samba PDC that is also a member of a Kerberos realm. 

#%PAM-1.0
# kdc-pdc
#
auth       requisite   pam_nologin.so
auth       requisite   pam_krb5.so
auth       optional    pam_smbpass.so migrate
account    required    pam_krb5.so
password   requisite   pam_cracklib.so retry=3
password   optional    pam_smbpass.so nullok use_authtok try_first_pass
password   required    pam_krb5.so use_authtok try_first_pass
session    required    pam_krb5.so
Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire