Samba File Server + PAM + Berkeley DB or Samba + PAM

authenticationpamsamba

I've set up VSFTPD with PAM and Berkeley DB before using this article. It's a great article and was really easy to walk through setting it up.

Now that I'm setting up Samba, I would like to do the same thing. I've seen information on using PAM with Samba, but nothing regarding Berkeley DB. If this is not possible, even just implementing PAM would be nice, however the articles out there aren't that easy to follow… for me anyways.

Can anyone create a quick tutorial here that I would be able to use to set up Samba + PAM + Berkeley DB or Samba + PAM?

Link to a good tutorial would work as well.

UPDATE:

I've set up Samba smb.conf using the following for the PAM config variables.

#security = user (Commented out, not sure if it should or shouldn't be with PAM)

pam password change = no 

obey pam restrictions = yes

encrypted passwords = no

created a samba-virtual-users.db file following the VSFTPD article using vusers.txt and db4.8_load -T -t hash -f vusers.txt samba-virtual-user.db

and set up /etc/pam.d/samba as the following:

#%PAM-1.0
auth       required     pam_userdb.so db=/etc/samba/samba-virtual-user
account    required     pam_userdb.so db=/etc/samba/samba-virtual-user
session    required     pam_loginuid.so

This setup seems to reflect fairly closely to the VSFTPD and I figured it should work. As long as samba is using PAM and the /etc/pam.d/samba file, which it does by default, then all the /etc/pam.d/samba file needs to do is declare the authorization method as using the .db file that was created.

Does this make sense to anyone? Can anyone see any reason why this isn't working? Tips for things to try maybe?

UPDATE:

The machine is showing on the network now, however I'm not able to log on. Is there any way to check the authentication method samba is using? Anything to do with verifying the setup or the settings it's currently using would be helpful…

Best Answer

Samba can not use PAM because the SMB protocol specific a (set of) incompatible hashes which can not be used with PAM (which requires the cleartext password, or certain hashed versions of the password).

This is what was explained to me a while ago when I tried to accomplish the same thing.

Related Solutions

Centos – vsftpd Unable to log in to ftp using Berkeley DB (V4) databases and PAM (pam_userdb.so)

In the /etc/pam.d/vsftpd file, it turns out I was only supposed to have the last three lines (the ones they provided in the tutorial).

After I changed the file to this:

#%PAM-1.0
auth       required    pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account    required    pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
session    required    pam_loginuid.so

It worked just fine. However, I haven't used it long enough to figure out whether it created errors elsewhere. Please let me know if anyone sees anything wrong with this change.

Using pam just for authorisation, without authentification

It seemed that all that needed to be done was run pppd with the login parameter. That can be set in /etc/ppp/options. even though it said that it is only supposed to be used with PAP.

I suppose it works because we're not trying to authenticate with PAP and CHAP, authentication goes through the chap_secret files after which it is passed to PAM.

When PAM takes control, we can set it to always pass authentication and use the authorization as for what is needed.

Here is how my PAM file (on the server /etc/pam.d/ppp) looks like: auth sufficient pam_permit.so
account sufficient pam_permit.so

For now, i haven't set anything concrete for the account. What i plan is to run a module which writes the information into database.

Looking at the /var/log/syslog:

Jul 24 11:32:02 virtual3 pptpd[6100]: GRE: Bad checksum from pppd.
Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xbfa95b1b> <pcomp> <accomp>]
Jul 24 11:32:02 virtual3 pppd[6101]: sent [LCP EchoReq id=0x0 magic=0xbfa95b1b]
Jul 24 11:32:02 virtual3 pppd[6101]: sent [CHAP Challenge id=0x72 <bd6de330bce960fd3c015f4c05271084>, name = "virtual_3"]
Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP EchoReq id=0x0 magic=0x26f8d72a]
Jul 24 11:32:02 virtual3 pppd[6101]: sent [LCP EchoRep id=0x0 magic=0xbfa95b1b]
Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP EchoRep id=0x0 magic=0x26f8d72a]
Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [CHAP Response id=0x72 <37493f89d9ab654ebd597c25a4a6b0c000000000000000007452936c00f1efa80034f8a65f1f33a7c5b0cf8b4ca6b3f600>, name = "virtual_2"]
Jul 24 11:32:02 virtual3 pppd[6101]: sent [CHAP Success id=0x72 "S=8BA14BF6728FFEF9BAC466B0B7ACD5B6273E8B38 M=Access granted"]
Jul 24 11:32:02 virtual3 pppd[6101]: Initializing PAM (2) for user virtual_2
Jul 24 11:32:02 virtual3 pppd[6101]: ---> PAM INIT Result = 0
Jul 24 11:32:02 virtual3 pppd[6101]: Attempting PAM account checks
Jul 24 11:32:02 virtual3 pppd[6101]: PAM Account OK for virtual_2
Jul 24 11:32:02 virtual3 pppd[6101]: PAM Session opened for user virtual_2
Jul 24 11:32:02 virtual3 pppd[6101]: user virtual_2 logged in on tty pts/3 intf ppp0
Jul 24 11:32:02 virtual3 pppd[6101]: MPPE 128-bit stateless compression enabled
Jul 24 11:32:02 virtual3 pppd[6101]: Cannot determine ethernet address for proxy ARP
Jul 24 11:32:02 virtual3 pppd[6101]: local  IP address 10.8.10.1
Jul 24 11:32:02 virtual3 pppd[6101]: remote IP address 10.8.10.2
Jul 24 11:32:02 virtual3 pppd[6101]: pptpd-logwtmp.so ip-up ppp0 virtual_2 192.168.11.100

it can bee seen that the authentication went through CHAP and is then passed to PAM.

Best Answer

Related Solutions

Centos – vsftpd Unable to log in to ftp using Berkeley DB (V4) databases and PAM (pam_userdb.so)

Using pam just for authorisation, without authentification

Related Topic