[Download Latest Stable release of pam_smb]
What is pam_smb?pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server.Features (stable version):
Planned Features (development version):
How to I get pam_smb?Stable versionThe stable version of pam_smb is available from any mirror of the samba FTP site (a list of mirrors is available on samba.org). The latest stable version is 1.1.5.The primary pam_smb FTP site is ftp://ftp.samba.org/pub/samba/pam_smb/ Developement versionThe latest developement version is available from the anonymous CVS tree on cvs.samba.org, the module name is pam_smb. The latest released developement version is 1.3.6It is also available from the authors primary site (in Ireland): ftp://ftp.csn.ul.ie/pub/linux/pam/pam_smb/alpha/ or http://www.csn.ul.ie/~airlied/pam_smb/alpha/ How do I install it?
How do I Configure it?The stable pam_smb module has two configuration steps,
1) pam.conf, /etc/pam.d and command line optionsThe first thing that needs to be done is the pam module needs to be inserted into the pam system configuration files so that it is used for the services the administrator wishes. This procedure is slightly different under Linux and Solaris. For Linux: the pam config files are stored in /etc/pam.d (one for each service) my /etc/pam.d/login file is included here#%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_smb_auth.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.sonote the pam_pwdb auth line is removed or commented out. For Solaris: You need to change the /etc/pam.conf other line to other auth required /usr/lib/security/pam_smb_auth.so.1Pam_smb has some command line parameters that can be passed within the PAM configuration files: (Most installations can skip this step as the module will work fine without any command line arguments.) 1. debug - This switches on syslog debugging of the module. 2. use_first_pass - This is a standard PAM Module command line option. *********** N.B. Danger lurks here somewhere ***************** 3. nolocal - This allows authentication of a username/password pair which are not in the local password file. Do not switch this on unless you know what you are at. ************************************************************** 2) pam_smb.conf configuration fileThe configuration file is stored in /etc/pam_smb.conf and it consists of three lines the first containing the NT DOMAIN to be logged on at and the second and third are the primary and secondary servers to use. Note these do not have to be NT server machines simply machines which can authenticate in the domain. e.g. Here is my local copy: where I have server INTEL41 and INTEL42 and the domain is the UNDERGRADUATE domain : UNDERGRADUATE INTEL41 INTEL42 N.B. Ensure that the domain servers you are trying to authenticate against have valid DNS entries, or have entries in your /etc/hosts file. 3) ntmap.db username mapping database.First of all this configuration file is only required if username mapping or multiple domain support is required. The ntmap.db is a berkley db-style hashed database. It uses libdb, and makemap is used to generate it. Full configuration information for this is in the file ntmap.example which is an example database. The program ntmap.sh can be used to convert the current ntmap.example file into /etc/ntmap.db, this filename is hard coded at the moment.4) Starting pamsmbd at boot-time.pamsmbd needs to be started at boot-time, this depends on your distribution, shouldn't be that hard for you to figure out.Where did pam_smb come from?The module is a hacked together version of smblib-0.50, smb-NT-verify, the pam_unix_auth module, and changes made by myself to allow Domain logons and other stuff. The original authors of many of the parts were:Andrew Morgan (morgan@transmeta.com) -- the Linux PAM project person, and writer of the pam_unix_auth.c module. Richard Sharpe (sharpe@ns.aus.com) -- the author of smblib which I have used a lot of directly. Christopher Burke (c.burke@mindware.com.au) -- the author of smb-NT-valid from which I took the validation routine. The encryption routine is taken straight from samba and is copyright Andrew Tridgell (author of samba). The username mapping code was written by Andrew Speer(aspeer@isolutions.com.au) for the original module only pam_smb, and I have tried to re-use as it for the client-server. The caching idea came from David Jordan (david.jordan@webbins.co.uk), he wrote code to make this work under the original pam_smb, I have taken his ideas on board. Thanks to Ville Warsta (vwarsta@stybba.ntc.nokia.com) for suppling the patches for HP/UX and FreeBSD 3.1. Thanks to mirko.dziadzka@systor.com for finding guest login bug with NT. Is there any known bugs in pam_smb?In all version up to 1.1 there is a bug with login that when pam_smb is used login can under some circumstances segfault -- This bug is a known bug in login.c, a patch to login.c from util-linux is available on the primary site for pam_smb.Latest Information on the Development VersionThe developement version will have caching and multi-domain support with username mapping. The first release 1.2a has these facilities but they are not very well developed and such things as cache management is missing. If you still would like to try it out grab a copy from the CVS tree on cvs.samba.org. Note the features in the alpha copies are not stablised such things as file formats, and locations will probably change before the final v2.0 release. The CVS version currently has HP-UX and FreeBSD support, but still contains a memory leak which can cause it to crash after heavy use.Contact InformationThis software is released under the GPL as found in the COPYING file enclosed. Any Questions to the author at airlied@samba.org or airlied@linux.ie Dave Airlie 2/5/99 http://www.csn.ul.ie/~airlied |