On Tue, Jan 28, 2003 at 11:07:48AM -0600, Mike Renfro wrote:
> We do that (PDC serving Windows, Solaris, and Linux clients) with
> pam_smb.
Since someone asked, here's our basic setup. It may be of use to
someone else, or I might get a full security audit from others more
experienced:
=====
Authenticating Solaris and GNU/Linux Users from an NT4.0 PDC
Given
2 Solaris 2.7 workstations, 2 Solaris 2.8 workstations, 1 Debian
GNU/Linux workstation, 1 large Windows NT 4.0 domain
Required
Networked authentication database for all machines.
Restrictions
Nothing horribly insecure (like NIS), no changes required on NT
machines (like NISGINA or a Samba PDC).
Solution (Solaris)
pam_ntdom (pluggable authentication module for NT domains), Samba
2.0.x (only for utilities, not running as a network service).
1. On the PDC, add one computer per Solaris system onto the domain.
Make them regular workstations, not BDCs.
2. Compile and install Samba 2.0.x (we used 2.0.7, as of May 9, 2001,
Samba 2.2.x was not compatible with this procedure). All samba
files live in /usr/local/samba -- might need to create
/usr/local/samba/private, too.
3. Edit /usr/local/samba/lib/smb.conf -- the global section should
contain:
workgroup = YOURDOMAIN
security = server
password server = PDCNAME
local master = no
os level = 0
domain controller = PDCNAME
wins support = no
wins server = YOUR.WINS-SERVER.IP.ADDRESS
4. Since we won't actually be running any of the Samba daemons, the
rest of the file should be irrelevant. In fact, even this section
is probably irrelevant, since all we need to do is make a machine
account on the PDC and set up a trust relationship between the PDC
and the Solaris system.
5. On the Solaris system, as root, run smbpasswd -j DOMAIN -r PDCNAME
-- this will set up a trust relationship between the PDC and the
Solaris system.
6. Copy /usr/local/samba/private/DOMAIN.SOLARISNAME.mac to
/etc/security -- the whole /usr/local/samba directory could be
deleted now, if necessary.
7. Compile pam_ntdom 0.24 (pulled source code from CVS, no tar
archives publicly available).
8. Copy pam_ntdom_auth.so to /usr/lib/security
9. Edit /etc/pam_smb.conf as follows:
YOURDOMAIN
YOURPDC
YOURBDC
10. Edit /etc/pam.conf to allow authentication via pam_ntdom -- find
the stanza that reads:
other auth required /usr/lib/security/pam_unix.so.1
11. Change it to:
other auth sufficient /usr/lib/security/pam_unix.so.1
other auth required /usr/lib/security/pam_ntdom_auth.so
12. This is enough to allow ssh access authenticated by pam_ntdom. If
you want to allow local console logins by the same method, you'll
have to edit the login auth and dtlogin auth entries similarly.
13. For any users who need access to the Solaris machines, add dummy
accounts with disabled passwords. In our case:
useradd -d HOMEDIR -g GROUP -s SHELL -u UID USERNAME
Solution (Debian)
apt-get install libpam-smb, then edit /etc/pam_smb.conf as in Solaris
step 9. Edit any config files in /etc/pam.d you want to be SMB-aware,
changing
auth required pam_unix.so
to
auth sufficient pam_unix.so
auth required pam_smb_auth.so
And the useradd command becomes something like:
/usr/sbin/useradd -d HOMEDIR -g GROUP -s SHELL -p '*NP*' -u UID USERNAME
The reason for the change from the Solaris useradd command (the -p
flag) is that if we allow useradd to place a * character in the
password field, one of the other pam modules denies access. That same
module checks for NIS capabilities by assuming that a password entry
of *NP* means that an NIS server is present, and allows authentication
to continue.
Bugs
Solaris 7 (and most Unixes) might only examine the first 8 characters
of any given username. [1]This comp.unix.solaris thread from 1997
indicates that long usernames might in fact work flawlessly for the
vast majority of Solaris utilities, but it's not supported. Programs
compiled with utmp.h instead of utmpx.h might also have problems.
Last updated: 2002/06/26 4:01 PM
References
1. http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=f71e0b0751934467,8
=====
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
_______________________________________________
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
