LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-27-2019, 11:09 AM   #1
serafean
Member
 
Registered: Mar 2006
Location: Czech Republic
Distribution: Gentoo, Chakra
Posts: 984
Blog Entries: 14

Rep: Reputation: 135Reputation: 135
Samba auth using unix user


Hi,

I'm trying to configure samba to accept auth using the unix db (through PAM).

I know that samba can't use PAM directly, because pam wouldn't be able to access the password, as smb2 hashes it at protocol level.

I found that something called pam_smbpass existed, with the functionality to sync the unix and smb passwords (which would be sufficient). Unfortunately, it is no more

Currently I'm following up the possibility of setting up an AD along with windbind, but I still don't see how to use pam to authenticate the users using /etc/shadow. And it seems really overkill for a simple home filesharing server.

ideas welcome...

Thanks.
 
Old 07-28-2019, 09:51 AM   #2
rpenny
Member
 
Registered: Jul 2019
Posts: 37

Rep: Reputation: Disabled
Sorry, but Samba doesn't use PAM and if you do set up a Samba AD DC, you will find that it doesn't use /etc/shadow

I think you need to explain why you need to use PAM ?

If you set up Samba as a standalone server, then you will need to create your users twice on it, once as Unix users and then again as Samba users, unless you set it up for guest access.

If you set up Samba as an AD DC, then your AD users can be made into Unix users quite easily and, by using the libnss-winbind links, they can log into the Unix machine.
 
Old 07-28-2019, 03:29 PM   #3
serafean
Member
 
Registered: Mar 2006
Location: Czech Republic
Distribution: Gentoo, Chakra
Posts: 984

Original Poster
Blog Entries: 14

Rep: Reputation: 135Reputation: 135
Hi,

Quote:
Originally Posted by rpenny View Post
I think you need to explain why you need to use PAM ?
Because I'm running email, chat and sftp (ssh fileserver, /home shared) on this machine, and all of these use PAM
to authenticate a user. I just want to keep it simple: One user db for the machine, all services use it.
I guess I'll create the users twice.
 
Old 07-28-2019, 03:49 PM   #4
rpenny
Member
 
Registered: Jul 2019
Posts: 37

Rep: Reputation: Disabled
Unless you want to go down the AD DC line, running a Samba standalone server will probably be the easiest way to go, but you must be aware that Samba will not use PAM.
 
Old 07-28-2019, 06:52 PM   #5
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,369

Rep: Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006Reputation: 2006
Quote:
Originally Posted by serafean View Post
Because I'm running email, chat and sftp (ssh fileserver, /home shared) on this machine, and all of these use PAM
to authenticate a user. I just want to keep it simple: One user db for the machine, all services use it.
I guess I'll create the users twice.
If you have sftp set up, what do you need samba for? Just curious.
 
Old 07-29-2019, 08:03 AM   #6
serafean
Member
 
Registered: Mar 2006
Location: Czech Republic
Distribution: Gentoo, Chakra
Posts: 984

Original Poster
Blog Entries: 14

Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by scasey View Post
If you have sftp set up, what do you need samba for? Just curious.
I'm building a NAS-like machine, that should support more people than the tech-savvy me. The idea is:
- sftp because it comes freely with ssh
- samba because windows
- webdav for plain http access
- optionally NFS for fun.

All this should use a single authentication mechanism, and I settled on the simplest: PAM.
 
Old 07-29-2019, 08:33 AM   #7
rpenny
Member
 
Registered: Jul 2019
Posts: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by serafean View Post
I'm building a NAS-like machine, that should support more people than the tech-savvy me. The idea is:
- sftp because it comes freely with ssh
- samba because windows
- webdav for plain http access
- optionally NFS for fun.

All this should use a single authentication mechanism, and I settled on the simplest: PAM.
Just one problem with that idea, PAM isn't really an authentication method, it just passes things to other authentication methods.

As for your list, you do not need sftp if you use Samba or vice versa, you don't need webdav if you use Samba, if you have Windows clients, you cannot use NFS.

The easiest way out of this is to set up your 'NAS' as a Samba AD DC and run a domain.
 
Old 07-29-2019, 09:57 AM   #8
serafean
Member
 
Registered: Mar 2006
Location: Czech Republic
Distribution: Gentoo, Chakra
Posts: 984

Original Poster
Blog Entries: 14

Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by rpenny View Post
Just one problem with that idea, PAM isn't really an authentication method, it just passes things to other authentication methods.
How is that a problem?
It is a unified auth mechanism which abstracts out the underlying method. I currently use it for ssh, mail (dovecot), XMPP (ejabberd) and have successfully used it to enable authenticated read-only hacky (because of lack of suexec) userdir through nginx.

Quote:
As for your list, you do not need sftp if you use Samba or vice versa, you don't need webdav if you use Samba, if you have Windows clients, you cannot use NFS.
I disagree:
- sftp is available from any linux base image, easily accessible through cli. Samba isn't so very out of the box.
- samba is for windows/linux clients.
- webdav is the easiest, most accessible sharing unless I want to set up a VPN to tunnel samba over WAN. (Well, apart from a read-only userdir-enabled webserver)
- Windows clients do support nfs

My quest is to have a unix user's $HOME accessible over the network through multiple protocols.
 
Old 07-29-2019, 10:29 AM   #9
rpenny
Member
 
Registered: Jul 2019
Posts: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by serafean View Post
How is that a problem?
It is a unified auth mechanism which abstracts out the underlying method. I currently use it for ssh, mail (dovecot), XMPP (ejabberd) and have successfully used it to enable authenticated read-only hacky (because of lack of suexec) userdir through nginx.


I disagree:
- sftp is available from any linux base image, easily accessible through cli. Samba isn't so very out of the box.
- samba is for windows/linux clients.
- webdav is the easiest, most accessible sharing unless I want to set up a VPN to tunnel samba over WAN. (Well, apart from a read-only userdir-enabled webserver)
- Windows clients do support nfs

My quest is to have a unix user's $HOME accessible over the network through multiple protocols.
PAM (Pluggable Authentication Modules) isn't actually an auth method, it just obtains the username, password etc and passes it authentication backends which will attempt to auth the user. All of your programs also work on Slackware and that doesn't use PAM by default.

Yes, sftp is available, so is scp, but unless you use keys, it is very insecure
Samba isn't just for Windows and Linux, it also works with MAC and BSD etc
Webdav is okay for sharing, but, as you mentioned VPN, I wouldn't use it over the internet, so you would still have to use a VPN
I might be possible to use NFS with Windows, but why bother, CIFS is getting as fast as NFS.

I think you will find that using a Samba DC for authentication is the way to go, it should be able to provide authentication for everything you have mentioned.
 
  


Reply

Tags
pam, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using entry pam_lastlog.so showfailed in password-auth or system-auth johnmccarthy Linux - Security 2 07-25-2016 08:17 AM
[SOLVED] SMTP AUTH with sendmail in centos.. 504 5.3.3 AUTH mechanism LOGIN not available satyadev75 Linux - Server 3 01-23-2014 03:30 AM
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user karsel Linux - Newbie 0 12-11-2012 08:44 AM
Postfix - allow non-auth connections from local network, relay mail via SASL AUTH fantasygoat Linux - Server 1 10-14-2011 05:45 PM
QMAIL AUTH LOGIN AUTH=LOGIN Arghhhhhhhh DrNeil Linux - Networking 3 09-04-2004 11:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration