I never did see a response. I've got one module that will fork()&exec() the add user script (security hole it is), but I would suggest building a module from scratch.Yeah, that is a complete possibility, and I've already written up a quick pam_runscript.so, for testing, but it's a pretty cheap hack and I don't really want to exec() some random script for security purposes. (this is a production system)
Samba only uses PAM if the password is supplied in plain-text - meaning most Windows installations, by default, won't use PAM.I don't know about that one... I've been doing so much testing back & forth the past week, but I do remember adding a pam_mkhomedir into /etc/pam.d/samba for 'session' and I think it worked OK. (and I'm using encrypted passwords)
One question is : when using PAM, does the Samba suite call pam_open_session()? functions? If so, it is possible to do an immediate clean up once verified in either the pam_open_session() or pam_close_session().
Yes, it does, but *when* it calls these functions is a bit of a mystery. Since I'm not actually mounting shares from this system, I think that 'session' will not even be called. I'm just hitting it for domain authentications... but I'd really have to test more to double check all of what I just said.
I guess this issue really isn't that big of a deal anymore -- I've decided to take the easy way out and write up some scripts to take care of /etc/passwd entries with /dev/null homes and /bin/false shells.
So... thanks for the input, but from the work I went through for this I'd rather just drop it and just whip up some quick scripts. :-)
If anyone else has had, or, will have, this same problem, maybe pam_mkhomedir could be added with a pam_sm_authenticate() with some extra features like /etc/passwd entries, etc... If the developer for that module is listening. ;-)
Thanks again!
--Cal
Joe
Cal Heldenbrand wrote:
Hi everyone,
I'm working on a project where a box is remotely authenticating with PAM against a large user database, and this box acts as a Samba PDC / winbind / authentication server for a local department.
I've talked a bit with the Samba list, and I didn't
really get anything usefull back from them -- one of
the annoying things w/ Samba, is that it *requires* a
local /etc/passwd entry when 'security = user'. I can
see why this would be a nice sanity check, but this
machine does not serve homes, or any other partitions,
it will not be a shell box, or anything else... strictly domain authentication with smb encrypted
passwords.
The master database that I'm authenticating against has around 8000+ users, plus, is dynamically changing. I need a way to on-the-fly add / remove /etc/passwd entries (and not using winbind -- this is a winbind server)
So, my main question to everyone is: Is there some sort of pam_adduser that works with the 'auth' management group that will add /etc/passwd entries?
Thanks for your help!
--Cal Heldenbrand
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
