When starting with the default samba configuration, what settings need to be changed to make samba authenticate it's users through pam?
I'm attempting to authenticate samba users via pam, and specifically pam_pwdfile. The trouble I'm running into is with the samba configuration file, I can't seem to get the right mix of settings in the global section of the file.
When starting with the default samba configuration, what settings need to be changed to make samba authenticate it's users through pam?
Ah, it kinda-sorta-sounds-like you've got the cart before the horse. Hear me for a moment...
There's alot of information missing here - I'm working on the assumption that when you mean "authenticate", you really mean "my network file sharing client (usually Windows-based) is attempting to connect to a share or resource provided by Samba and the credentials being presented need to be authenticated by using the local /etc/passwd file." In which case, you kinda can't get there from here...without a lot of hoops. I also don't know how many servers you have to work with, if they are running Windows, BSD, Linux, or what-have-you. I don't know what the ultimate goal is - if you're just providing services to local users on a LAN, or you intend to use it in some other manner.
Samba usually has its own authentication hooks that do not rely on /etc/passwd because the requirements imposed by storing NTLM hashes. No hashes = no authentication. So there's a problem. Fortunately, there are several solutions.
The first is to use an existing Active Domain controller. Usually, you set up Winbind and put a shim into /etc/nsswitch.conf for both users and groups, which handles this issue (winbind then handles the authentication request, rather than pam). It requires a bit of hand-work, but is easiest to set up, because the user accounts are controlled and maintained by a Windows Server and requires basically little-to-no intervention with Samba on your part.
The second is to use LDAP. I haven't used this method but I hear it's fairly popular. It still requires another server.
The third is to turn your Samba install into a PDC. If you don't have an external AD controller, you can set yourself up an NT4-style PDC using the Samba installation you're working with, although you'll still have a need to authenticate users through *.tdb files. The smbpasswd command is used for this purpose.
This is from the Samba Howto: "There is an option in smb.conf called obey pam restrictions. The following is from the online help for this option in SWAT: When Samba is configured to enable PAM support (i.e., --with-pam), this parameter will control whether or not Samba should obey PAM’s account and session management directives. The default behavior is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. Default: obey pam restrictions = no"
