1

I've set up VSFTPD with PAM and Berkeley DB before using this article. It's a great article and was really easy to walk through setting it up.

Now that I'm setting up Samba, I would like to do the same thing. I've seen information on using PAM with Samba, but nothing regarding Berkeley DB. If this is not possible, even just implementing PAM would be nice, however the articles out there aren't that easy to follow... for me anyways.

Can anyone create a quick tutorial here that I would be able to use to set up Samba + PAM + Berkeley DB or Samba + PAM?

Link to a good tutorial would work as well.

UPDATE:

I've set up Samba smb.conf using the following for the PAM config variables.

#security = user (Commented out, not sure if it should or shouldn't be with PAM)

pam password change = no 

obey pam restrictions = yes

encrypted passwords = no

created a samba-virtual-users.db file following the VSFTPD article using vusers.txt and db4.8_load -T -t hash -f vusers.txt samba-virtual-user.db

and set up /etc/pam.d/samba as the following:

#%PAM-1.0
auth       required     pam_userdb.so db=/etc/samba/samba-virtual-user
account    required     pam_userdb.so db=/etc/samba/samba-virtual-user
session    required     pam_loginuid.so

This setup seems to reflect fairly closely to the VSFTPD and I figured it should work. As long as samba is using PAM and the /etc/pam.d/samba file, which it does by default, then all the /etc/pam.d/samba file needs to do is declare the authorization method as using the .db file that was created.

Does this make sense to anyone? Can anyone see any reason why this isn't working? Tips for things to try maybe?

UPDATE:

The machine is showing on the network now, however I'm not able to log on. Is there any way to check the authentication method samba is using? Anything to do with verifying the setup or the settings it's currently using would be helpful...

user29600
  • 399
  • 5
  • 16
  • 29

3 Answers3

2

Samba can not use PAM because the SMB protocol specific a (set of) incompatible hashes which can not be used with PAM (which requires the cleartext password, or certain hashed versions of the password).

This is what was explained to me a while ago when I tried to accomplish the same thing.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Then why do they have any options for PAM at all? ftp://ftp.nethelp.no/pub/tmp/samba/PAM-Authentication-And-Samba.html Did you read the links I posted? – user29600 May 10 '11 at 14:28
  • Samba can verify the user exists in PAM; I believe it's to prevent a disabled/removed Unix account from using a SMB password that the admin forgot to remove. – Chris S May 10 '11 at 14:48
  • Ok, can anyone else confirm this? – user29600 May 10 '11 at 15:22
  • Yes. Basically the hash function used by Windows is different from the ones used by Unix, so PAM can't authenticate users. Samba really works best when you set up LDAP. – Dan May 11 '11 at 11:01
  • I disagree, and saying that Samba can't use PAM is simply false. Ubuntu's standard samba package is compiled with PAM support, as is RHEL's. Or, one can compile it from source using the "--with-pam" option as John's answer mentions. I am starting to suspect that this issue may be more related to how PAM/nsswitch is configured on the system rather than Samba. I have a similar question posted here and including the link here in case it's at all helpful or relevant: http://serverfault.com/questions/644145/ubuntu-server-samba-pam-apple-opendirectory – quickthyme Nov 13 '14 at 19:55
  • I have additional comments posted under John's answer below. I can confidently state that a standard, out-of-box SMB client such as Windows 7 can in fact authenticate successfully to a Samba server that is using PAM as the authentication agent between it and LDAP. I also know this to be possible without sacrificing NTLM password hashing because I have this working in my environment. If you can get the standard account tools like "groups" or "passwd" to work against the OD/LDAP accounts, then Samba/PAM should be able to authenticate users. (Sort of... See my question link above for the caveat.) – quickthyme Nov 13 '14 at 22:15
2

Samba needs to be built using "--with-pam" and have the pam-devel package installed. Then as described in the question, add the samba options to pam.d and disable encrypted passwords.

Also, the clients must have encrypted passwords disabled following this info: http://www.pctools.com/guides/registry/detail/68/

The XP note applies to Win7 as well. And registry entries need to be reapplied to Win7 after the install of SP1.

Also, due to Microsoft patch MS11-043 you must use a workgroup name of more than 7 chars and use a very recent version of Samba (3.5.11 or better) which includes a fix for MS11-043

John
  • 21
  • 1
  • I think there is an inaccuracy here, as I have personally witnessed both Windows and Mac systems connect to Samba shares (that use PAM) without any modification to the client. The communication from the client to Samba uses either NTLM or NTLMv2, both of which send hashed passwords. Samba then hands off the authentication to PAM as if it's a local user account. Pam then uses whatever encryption it's configured to, which is dictated by what the backend requires. (So this may need to be set to "none" or "md5" depending on what the LDAP server expects.) – quickthyme Nov 13 '14 at 20:20
  • In theory, PAM has nothing to do with the SMB network client as its role is limited to that of being a "pluggable authentication module" as the name implies. (Microsoft's "Gina" is a similar contraption from my understanding.) – quickthyme Nov 13 '14 at 20:23
  • But for the record, I have no idea what I'm talking about. I'm just as lost as the next person when it comes to configuring Samba properly. My comments are based solely on my interpretation of the various documentations and experiences I have encountered thus far. I'm hoping someone smarter and more experienced can chime in with some constructive counterpoint. – quickthyme Nov 13 '14 at 21:43
0

This is from the Samba howto: "There is an option in smb.conf called obey pam restrictions. The following is from the online help for this option in SWAT: When Samba is configured to enable PAM support (i.e., --with-pam), this parameter will control whether or not Samba should obey PAM’s account and session management directives. The default behavior is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. Default: obey pam restrictions = no"

Dragos
  • 349
  • 1
  • 2
  • 11