-   Linux - Software (
-   -   Need help w/Samba & PAM Auth (

DocJones 05-13-2003 03:05 PM

Need help w/Samba & PAM Auth
I am trying to figure out how to get a Win98 client connecting to Samba to obey PAM restrictions (e.g. password length, use number and other chars). The PAM restrictions work fine when changing the password at the console but if I change the password from the Passwords control panel on Win98 the restrictions are completely ignored.

I've been seaching for a solution on this for two weeks now and am getting very frustrated. I've finally convinced management to replace an aging Novell install with linux but I need this part of it to work before I can go any further. I would appreciate any help you could give me on this.

mcleodnine 05-14-2003 01:52 AM

Not too sure if it's possible to validate & restrict by PAM, but you may be able to do so via LDAP, though the task is anything but lightweight (IMO the LDAP is okay - it's the management of it that appears to be a bit of a command-line black art at the moment and something even more difficult to administer for larger user/domain bases).

Your first stop should be looking into the installation docs for Samba and seeing what auth modules are avialble and how to implement them.

I recently ran across an article saying something to the effect that *NIX in general needs a stronger authentication component along the lines of Active Directory. Never used AD but speaking from my Novell experiences I would lean more towards their NDS structure as a basis for a good framework.

DocJones 05-14-2003 08:22 AM

I saw a few references to the PAM/Samba/LDAP combo during my many hours of googling. I skipped over them mainly because of the reasons you mentioned. Looked at LDAP stuff before and mostly just got confused but I might have to take another look at it.

What really confuses me about this is that there is a line in smb.conf that says "obey pam restrictions = yes". That makes me think that it is possible but I'm just missing some part of it.

jharris 05-14-2003 08:42 AM

Are you using encrypted passwords?

From the smb.conf man page
obey pam restrictions (G)
When Samba 2.2 is configured to enable PAM support (i.e. --with-pam), this parameter will control
whether or not Samba should obey PAM's account and session management directives. The default
behavior is to use PAM for clear text authentication only and to ignore any account or session man-
agement. Note that Samba always ignores PAM for authentication in the case of encrypt passwords =
yes . The reason is that PAM modules cannot support the challenge/response authentication mechanism
needed in the presence of SMB password encryption.

Default: obey pam restrictions = no

If you are it sounds like the PAM restrictions will be ignored.



All times are GMT -5. The time now is 01:49 AM.