LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Samba auth using unix user (https://www.linuxquestions.org/questions/linux-software-2/samba-auth-using-unix-user-4175658124/)

serafean 07-27-2019 10:09 AM

Samba auth using unix user
 
Hi,

I'm trying to configure samba to accept auth using the unix db (through PAM).

I know that samba can't use PAM directly, because pam wouldn't be able to access the password, as smb2 hashes it at protocol level.

I found that something called pam_smbpass existed, with the functionality to sync the unix and smb passwords (which would be sufficient). Unfortunately, it is no more

Currently I'm following up the possibility of setting up an AD along with windbind, but I still don't see how to use pam to authenticate the users using /etc/shadow. And it seems really overkill for a simple home filesharing server.

ideas welcome...

Thanks.

rpenny 07-28-2019 08:51 AM

Sorry, but Samba doesn't use PAM and if you do set up a Samba AD DC, you will find that it doesn't use /etc/shadow

I think you need to explain why you need to use PAM ?

If you set up Samba as a standalone server, then you will need to create your users twice on it, once as Unix users and then again as Samba users, unless you set it up for guest access.

If you set up Samba as an AD DC, then your AD users can be made into Unix users quite easily and, by using the libnss-winbind links, they can log into the Unix machine.

serafean 07-28-2019 02:29 PM

Hi,

Quote:

Originally Posted by rpenny (Post 6019258)
I think you need to explain why you need to use PAM ?

Because I'm running email, chat and sftp (ssh fileserver, /home shared) on this machine, and all of these use PAM
to authenticate a user. I just want to keep it simple: One user db for the machine, all services use it.
I guess I'll create the users twice.

rpenny 07-28-2019 02:49 PM

Unless you want to go down the AD DC line, running a Samba standalone server will probably be the easiest way to go, but you must be aware that Samba will not use PAM.

scasey 07-28-2019 05:52 PM

Quote:

Originally Posted by serafean (Post 6019333)
Because I'm running email, chat and sftp (ssh fileserver, /home shared) on this machine, and all of these use PAM
to authenticate a user. I just want to keep it simple: One user db for the machine, all services use it.
I guess I'll create the users twice.

If you have sftp set up, what do you need samba for? Just curious.

serafean 07-29-2019 07:03 AM

Quote:

Originally Posted by scasey (Post 6019376)
If you have sftp set up, what do you need samba for? Just curious.

I'm building a NAS-like machine, that should support more people than the tech-savvy me. The idea is:
- sftp because it comes freely with ssh
- samba because windows
- webdav for plain http access
- optionally NFS for fun.

All this should use a single authentication mechanism, and I settled on the simplest: PAM.

rpenny 07-29-2019 07:33 AM

Quote:

Originally Posted by serafean (Post 6019512)
I'm building a NAS-like machine, that should support more people than the tech-savvy me. The idea is:
- sftp because it comes freely with ssh
- samba because windows
- webdav for plain http access
- optionally NFS for fun.

All this should use a single authentication mechanism, and I settled on the simplest: PAM.

Just one problem with that idea, PAM isn't really an authentication method, it just passes things to other authentication methods.

As for your list, you do not need sftp if you use Samba or vice versa, you don't need webdav if you use Samba, if you have Windows clients, you cannot use NFS.

The easiest way out of this is to set up your 'NAS' as a Samba AD DC and run a domain.

serafean 07-29-2019 08:57 AM

Quote:

Originally Posted by rpenny (Post 6019520)
Just one problem with that idea, PAM isn't really an authentication method, it just passes things to other authentication methods.

How is that a problem?
It is a unified auth mechanism which abstracts out the underlying method. I currently use it for ssh, mail (dovecot), XMPP (ejabberd) and have successfully used it to enable authenticated read-only hacky (because of lack of suexec) userdir through nginx.

Quote:

As for your list, you do not need sftp if you use Samba or vice versa, you don't need webdav if you use Samba, if you have Windows clients, you cannot use NFS.
I disagree:
- sftp is available from any linux base image, easily accessible through cli. Samba isn't so very out of the box.
- samba is for windows/linux clients.
- webdav is the easiest, most accessible sharing unless I want to set up a VPN to tunnel samba over WAN. (Well, apart from a read-only userdir-enabled webserver)
- Windows clients do support nfs

My quest is to have a unix user's $HOME accessible over the network through multiple protocols.

rpenny 07-29-2019 09:29 AM

Quote:

Originally Posted by serafean (Post 6019555)
How is that a problem?
It is a unified auth mechanism which abstracts out the underlying method. I currently use it for ssh, mail (dovecot), XMPP (ejabberd) and have successfully used it to enable authenticated read-only hacky (because of lack of suexec) userdir through nginx.


I disagree:
- sftp is available from any linux base image, easily accessible through cli. Samba isn't so very out of the box.
- samba is for windows/linux clients.
- webdav is the easiest, most accessible sharing unless I want to set up a VPN to tunnel samba over WAN. (Well, apart from a read-only userdir-enabled webserver)
- Windows clients do support nfs

My quest is to have a unix user's $HOME accessible over the network through multiple protocols.

PAM (Pluggable Authentication Modules) isn't actually an auth method, it just obtains the username, password etc and passes it authentication backends which will attempt to auth the user. All of your programs also work on Slackware and that doesn't use PAM by default.

Yes, sftp is available, so is scp, but unless you use keys, it is very insecure
Samba isn't just for Windows and Linux, it also works with MAC and BSD etc
Webdav is okay for sharing, but, as you mentioned VPN, I wouldn't use it over the internet, so you would still have to use a VPN
I might be possible to use NFS with Windows, but why bother, CIFS is getting as fast as NFS.

I think you will find that using a Samba DC for authentication is the way to go, it should be able to provide authentication for everything you have mentioned.


All times are GMT -5. The time now is 04:43 AM.