Samba File Server + PAM + Berkeley DB or Samba + PAM
Solution 1
Samba can not use PAM because the SMB protocol specific a (set of) incompatible hashes which can not be used with PAM (which requires the cleartext password, or certain hashed versions of the password).
This is what was explained to me a while ago when I tried to accomplish the same thing.
Solution 2
Samba needs to be built using "--with-pam" and have the pam-devel package installed. Then as described in the question, add the samba options to pam.d and disable encrypted passwords.
Also, the clients must have encrypted passwords disabled following this info: http://www.pctools.com/guides/registry/detail/68/
The XP note applies to Win7 as well. And registry entries need to be reapplied to Win7 after the install of SP1.
Also, due to Microsoft patch MS11-043 you must use a workgroup name of more than 7 chars and use a very recent version of Samba (3.5.11 or better) which includes a fix for MS11-043
Related videos on Youtube
20 : 38
10 : 02
06 : 16
02 : 53
06 : 06
user29600
Updated on September 18, 2022Comments
-
user29600 over 1 year
I've set up VSFTPD with PAM and Berkeley DB before using this article. It's a great article and was really easy to walk through setting it up.
Now that I'm setting up Samba, I would like to do the same thing. I've seen information on using PAM with Samba, but nothing regarding Berkeley DB. If this is not possible, even just implementing PAM would be nice, however the articles out there aren't that easy to follow... for me anyways.
Can anyone create a quick tutorial here that I would be able to use to set up Samba + PAM + Berkeley DB or Samba + PAM?
Link to a good tutorial would work as well.
UPDATE:
I've set up Samba smb.conf using the following for the PAM config variables.
#security = user (Commented out, not sure if it should or shouldn't be with PAM) pam password change = no obey pam restrictions = yes encrypted passwords = nocreated a
samba-virtual-users.dbfile following the VSFTPD article usingvusers.txtanddb4.8_load -T -t hash -f vusers.txt samba-virtual-user.dband set up
/etc/pam.d/sambaas the following:#%PAM-1.0 auth required pam_userdb.so db=/etc/samba/samba-virtual-user account required pam_userdb.so db=/etc/samba/samba-virtual-user session required pam_loginuid.soThis setup seems to reflect fairly closely to the VSFTPD and I figured it should work. As long as samba is using PAM and the /etc/pam.d/samba file, which it does by default, then all the /etc/pam.d/samba file needs to do is declare the authorization method as using the
.dbfile that was created.Does this make sense to anyone? Can anyone see any reason why this isn't working? Tips for things to try maybe?
UPDATE:
The machine is showing on the network now, however I'm not able to log on. Is there any way to check the authentication method samba is using? Anything to do with verifying the setup or the settings it's currently using would be helpful...
-
user29600 about 13 yearsThen why do they have any options for PAM at all? ftp.nethelp.no/pub/tmp/samba/PAM-Authentication-And-Samba.html Did you read the links I posted?
-
Philip about 13 yearsSamba can verify the user exists in PAM; I believe it's to prevent a disabled/removed Unix account from using a SMB password that the admin forgot to remove. -
user29600 about 13 yearsOk, can anyone else confirm this?
-
Dan about 13 yearsYes. Basically the hash function used by Windows is different from the ones used by Unix, so PAM can't authenticate users. Samba really works best when you set up LDAP.
-
quickthyme over 9 yearsI disagree, and saying that Samba can't use PAM is simply false. Ubuntu's standard samba package is compiled with PAM support, as is RHEL's. Or, one can compile it from source using the "--with-pam" option as John's answer mentions. I am starting to suspect that this issue may be more related to how PAM/nsswitch is configured on the system rather than Samba. I have a similar question posted here and including the link here in case it's at all helpful or relevant: serverfault.com/questions/644145/…
-
quickthyme over 9 yearsI think there is an inaccuracy here, as I have personally witnessed both Windows and Mac systems connect to Samba shares (that use PAM) without any modification to the client. The communication from the client to Samba uses either NTLM or NTLMv2, both of which send hashed passwords. Samba then hands off the authentication to PAM as if it's a local user account. Pam then uses whatever encryption it's configured to, which is dictated by what the backend requires. (So this may need to be set to "none" or "md5" depending on what the LDAP server expects.)
-
quickthyme over 9 yearsIn theory, PAM has nothing to do with the SMB network client as its role is limited to that of being a "pluggable authentication module" as the name implies. (Microsoft's "Gina" is a similar contraption from my understanding.)
-
quickthyme over 9 yearsBut for the record, I have no idea what I'm talking about. I'm just as lost as the next person when it comes to configuring Samba properly. My comments are based solely on my interpretation of the various documentations and experiences I have encountered thus far. I'm hoping someone smarter and more experienced can chime in with some constructive counterpoint.
-
quickthyme over 9 yearsI have additional comments posted under John's answer below. I can confidently state that a standard, out-of-box SMB client such as Windows 7 can in fact authenticate successfully to a Samba server that is using PAM as the authentication agent between it and LDAP. I also know this to be possible without sacrificing NTLM password hashing because I have this working in my environment. If you can get the standard account tools like "groups" or "passwd" to work against the OD/LDAP accounts, then Samba/PAM should be able to authenticate users. (Sort of... See my question link above for the caveat.)
