Re: SMB authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Follow-ups to pam-list@redhat.com.

Stephan,

On Wed, 28 Feb 2001, Stephan von Krawczynski wrote:

> ---Reply on mail from Steve Langasek about SMB authentication
> > [...]
> > It shouldn't be hard to do this with freeradius, PAM support, and pam_smb.

> Hello,

> Ok I tried this, but maybe I too stupid for this:
> I have /etc/pam.d/radius look like:
> #%PAM-1.0
> auth       required     /lib/security/pam_unix.so nullok
> auth       required     /lib/security/pam_smb_auth.so debug
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_unix.so
> password   required     /lib/security/pam_pwcheck.so nullok use_cracklib
> password   required     /lib/security/pam_unix.so nullok use_first_pass use_authtok
> session    required     /lib/security/pam_unix.so none

> First drawback I read in PAM-docs: all (NT-)users have to be unix-users, too. I
> really do not want that.
> Second drawback: it doesn't work ...
> If I create a test user on NT and linux (with different passwords), I found
> out, that authentication only works with linux-password, not with NT one,
> though radius uses PAM:

You should only list those modules in /etc/pam.d/radius which you want to be
used.  If you are going to *only* authenticate against an NT server, your
config should look more like:

auth       required     /lib/security/pam_smb_auth.so debug
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_permit.so
session    required     /lib/security/pam_unix.so none

Yes, pam_smb by default requires that there be an entry for the user in the
password file; the author explains that otherwise, too many people try using
pam_smb for login/telnet/ssh and then blame his module when this doesn't work.
Still, there's an option to disable the password file check in pam_smb.  The
option ('nolocal') is explained on the pam_smb homepage
(http://www.csn.ul.ie/~airlied/pam_smb/).

> PAM syslog:

> Feb 28 15:28:13 firewall PAM-warn[7704]: service: radiusd [on terminal:
> <unknown>]
> Feb 28 15:28:13 firewall PAM-warn[7704]: user: (uid=0) -> testerh [remote:
> ?nobody@?nowhere]
> Feb 28 15:28:13 firewall radlogin[7772]: authentication OK, username testerh,
> service Login-User

> What's wrong here?

This looks like you also have a mismatch in your pam service name.  syslog
shows that radiusd is calling PAM with the service name 'radiusd', and that
pam_warn is being used.  This module does not show up in the config file you
quoted, which I note is named /etc/pam.d/radius -- i.e., it's the file for the
PAM service 'radius', not 'radiusd'.

Regards,
Steve Langasek
postmodern programmer
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux