[Download Latest Stable release of pam_smb]

What is pam_smb?

pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server.

Features (stable version):

  • Authenticates Linux users against SMB servers in user mode(95, NT, samba etc). Will not authenticate against share level systems.
  • Compiles on Redhat Linux 4.2 and greater and any Linux with PAM support. Also compiles under Solaris 2.6.
  • Developement version from CVS works on HP/UX 11 and FreeBSD 3.1
  • Supports NT/Lanman encrypted passwords.
  • Any service which uses PAM can authenticate against NT.
  • Can setup to ignore lack of a local password entry when something else provides the users information such as RADIUS.

Planned Features (development version):
  • Caching support.
  • Username mapping support of Unix usernames to different NT usernames.

How to I get pam_smb?

Stable version

The stable version of pam_smb is available from any mirror of the samba FTP site (a list of mirrors is available on samba.org). The latest stable version is 1.1.5.
The primary pam_smb FTP site is ftp://ftp.samba.org/pub/samba/pam_smb/

Developement version

The latest developement version is available from the anonymous CVS tree on cvs.samba.org, the module name is pam_smb. The latest released developement version is 1.3.6

It is also available from the authors primary site (in Ireland): ftp://ftp.csn.ul.ie/pub/linux/pam/pam_smb/alpha/ or http://www.csn.ul.ie/~airlied/pam_smb/alpha/

How do I install it?

  1. Untar the distribution and cd into the pam_smb directory. 
  2.  Run configure
./configure

If you want to place the pamsmbd somewhere other than /usr/local/sbin
./configure --sbindir=/usr/sbin
If you want to disable encrypted passwords you can run 
./configure --disable-encrypt-pass
Developement Version only: 
If you want to disable the daemon support you can use 
./configure --disable-use-daemon
(this option produces the old style module that only reads the simple
config file and does no extra features).

  3. make
Stable Version:
You can copy the pam_smb_auth.so file to either /lib/security under Linux
or /usr/lib/security under Solaris.
Developement Version only: 
make install
This will install
pam_smb_auth.so in /lib/security
and 
pamsmbd in usually /usr/local/sbin/pamsmbd

How do I Configure it?

The stable pam_smb module has two configuration steps,
  1. pam.conf and /etc/pam.d configuration + command line parameters.
  2. pam_smb configuration file.

    And for the developement version you also need to look at:

  3. ntmap.db username mapping database
  4. starting pamsmbd at boot time.

1) pam.conf, /etc/pam.d and command line options

The first thing that needs to be done is the pam module needs to be inserted into the pam system configuration files so that it is used for the services the administrator wishes. This procedure is slightly different under Linux and Solaris.

For Linux: the pam config files are stored in /etc/pam.d (one for each service) my /etc/pam.d/login file is included here 
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_smb_auth.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
note the pam_pwdb auth line is removed or commented out.

For Solaris: You need to change the /etc/pam.conf other line to 

other   auth required   /usr/lib/security/pam_smb_auth.so.1
Pam_smb has some command line parameters that can be passed within the PAM configuration files: (Most installations can skip this step as the module will work fine without any command line arguments.) 
	1. debug - This switches on syslog debugging of the module.
	2. use_first_pass - This is a standard PAM Module command line option.
	*********** N.B. Danger lurks here somewhere *****************
	3. nolocal - This allows authentication of a username/password
			pair which are not in the local password file.
		 Do not switch this on unless you know what you are at.
	**************************************************************

2) pam_smb.conf configuration file

The configuration file is stored in /etc/pam_smb.conf and it consists of three lines the first containing the NT DOMAIN to be logged on at and the second and third are the primary and secondary servers to use. Note these do not have to be NT server machines simply machines which can authenticate in the domain.

e.g. Here is my local copy: where I have server INTEL41 and INTEL42 and the domain is the UNDERGRADUATE domain : 

UNDERGRADUATE
INTEL41
INTEL42

N.B. Ensure that the domain servers you are trying to authenticate against have valid DNS entries, or have entries in your /etc/hosts file.

3) ntmap.db username mapping database.

First of all this configuration file is only required if username mapping or multiple domain support is required. The ntmap.db is a berkley db-style hashed database. It uses libdb, and makemap is used to generate it. Full configuration information for this is in the file ntmap.example which is an example database. The program ntmap.sh can be used to convert the current ntmap.example file into /etc/ntmap.db, this filename is hard coded at the moment.

4) Starting pamsmbd at boot-time.

pamsmbd needs to be started at boot-time, this depends on your distribution, shouldn't be that hard for you to figure out.

Where did pam_smb come from?

The module is a hacked together version of smblib-0.50, smb-NT-verify, the pam_unix_auth module, and changes made by myself to allow Domain logons and other stuff. The original authors of many of the parts were:

Andrew Morgan (morgan@transmeta.com) -- the Linux PAM project person, and writer of the pam_unix_auth.c module.

Richard Sharpe (sharpe@ns.aus.com) -- the author of smblib which I have used a lot of directly.

Christopher Burke (c.burke@mindware.com.au) -- the author of smb-NT-valid from which I took the validation routine.

The encryption routine is taken straight from samba and is copyright Andrew Tridgell (author of samba).

The username mapping code was written by Andrew Speer(aspeer@isolutions.com.au) for the original module only pam_smb, and I have tried to re-use as it for the client-server.

The caching idea came from David Jordan (david.jordan@webbins.co.uk), he wrote code to make this work under the original pam_smb, I have taken his ideas on board.

Thanks to Ville Warsta (vwarsta@stybba.ntc.nokia.com) for suppling the patches for HP/UX and FreeBSD 3.1.

Thanks to mirko.dziadzka@systor.com for finding guest login bug with NT.

Is there any known bugs in pam_smb?

In all version up to 1.1 there is a bug with login that when pam_smb is used login can under some circumstances segfault -- This bug is a known bug in login.c, a patch to login.c from util-linux is available on the primary site for pam_smb.

Latest Information on the Development Version

The developement version will have caching and multi-domain support with username mapping. The first release 1.2a has these facilities but they are not very well developed and such things as cache management is missing. If you still would like to try it out grab a copy from the CVS tree on cvs.samba.org. Note the features in the alpha copies are not stablised such things as file formats, and locations will probably change before the final v2.0 release. The CVS version currently has HP-UX and FreeBSD support, but still contains a memory leak which can cause it to crash after heavy use.

Contact Information

This software is released under the GPL as found in the COPYING file enclosed. Any Questions to the author at
airlied@samba.org
or
airlied@linux.ie
Dave Airlie 2/5/99 http://www.csn.ul.ie/~airlied