LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-04-2002, 05:53 PM   #1
chupacabra
Member
 
Registered: Oct 2002
Posts: 30

Rep: Reputation: 15
samba and remote PAM authentication


running samba: 2.2.5
kernel: 2.4.18-17
distro: RH 8.0

How can the samba users change their own samba username/passwords remotely? My idea is to have a web page ..That page should have at least the fields username and password. And of course the button Submit. As soon as the user hits submit, that information will go straight to the PAM on linux. And then PAM will do
the job of authenticating the user and change the samba password for him. Does it sound too crazy? Has anyone done it before?

However, if I compile samba --with-pam all the info will go in clear text. And samba will bypass PAM in case I change the samba.conf line "encrypt passwords=yes". So..I'm in a dilemma as you can see.

My idea is to have the users [over 500] change their own username/password as secure as possible. Any ideas?

I thought well, they can connect via ssh and just let them run smbpasswd utility....but I want something simpler for these windows users. They don't even know how to ftp their own website...

thanks,
el chupacabra
 
Old 11-07-2002, 03:18 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
From the help files...

http://xxx.xx:10000/samba/swat.cgi/swat/help/smb.conf.5.html#PASSWORDSERVER

password server (G)

By specifying the name of another SMB server (such as a WinNT box) with this option, and using security = domain or security = server you can get Samba to do all its username/password validation via a remote server.

This option sets the name of the password server to use. It must be a NetBIOS name, so if the machine's NetBIOS name is different from its Internet name then you may have to add its NetBIOS name to the lmhosts file which is stored in the same directory as the smb.conf file.

The name of the password server is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter.

The password server much be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.

Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!

Do you have a PDC running in the network, or an LDAP server?

Last edited by peter_robb; 11-07-2002 at 03:19 PM.
 
Old 11-08-2002, 01:02 PM   #3
chupacabra
Member
 
Registered: Oct 2002
Posts: 30

Original Poster
Rep: Reputation: 15
thanks question answered...

I'm posting an email reply that a Samba Developer [Jerry Carter] gave to a co-worker. I'm posting it so everybody can benefit from it.
I learnt a lot from his reply....

> How can the samba users change their own samba username/passwords?
> > I remember you mentioned something like creating a web page in Perl?

A: That was for password synchronization. If you just want to change the
smbpasswd entry, use the CTRL+ALT+DEL -> Change password option of Windows
NT+. Should work out of the box.

> > That page should have at least the fields username and password.
> > And of course the button Submit. As soon as the user hits submit, that
> > information will go straight to the PAM on linux. And then PAM will do
> > the job of authenticating the user and change the samba password for
> > him.
> >
> > However, if I compile samba --with-pam all the info will go in
> > clear text. And samba will bypass PAM in case I change the samba.conf
> > line "encrypt passwords=yes". So..I'm in a dilemma as you can see.

A: If you compile with the --with-pam but set "encrypt passwords = yes", smbd
will always use the smbpasswd file for authentication (using NTLMv1, not
clear text). However, if you want to use pam for password changes,
set "pam password change = yes" in smb.conf and set an appropriate
"password chat" string.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd pam authentication mikeseal Linux - Networking 5 03-14-2010 06:33 PM
VNC with PAM authentication? make Linux - Software 2 06-07-2005 03:45 AM
python pam authentication shakeeb Programming 0 09-15-2004 04:57 AM
How does PAM Authentication Work? ejennings_98 Linux - Security 1 10-31-2003 03:29 PM
OpenSSH and PAM Authentication RyanP Linux - General 4 02-17-2001 01:08 PM


All times are GMT -5. The time now is 08:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration