Bug 31351

Summary: [PATCH] Account and Session PAM support for samba
Product: [Retired] Red Hat Raw Hide Reporter: Andrew Bartlett <abartlet>
Component: sambaAssignee: Trond Eivind Glomsrxd <teg>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-09-08 08:51:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Andrew Bartlett 2001-03-10 07:28:56 UTC
My patch (located at
http://samba.org/cgi-bin/samba-patches/incoming?id=233;user=guest) adds PAM
session support for all logins, and account support for both encrypted and
plain-text logins.

It may well be too late for this RedHat relase, and I was hoping to get it
tested more - but here it is anyway.

Note that this patch is over raw 2.0.7, and that it conflicts with the
current PAM modifications.

Comment 1 Andrew Bartlett 2001-05-05 08:43:07 UTC
Samba 2.2.0 shipped with PAM password account support.  Samba 2.2.1 will ship
with PAM password, account, session and password support.  They can be enabled
with 'obey pam restrictions = yes' and 'pam password change = yes'.

Note that the 2.2.0 release broke domain logons with some PAM configurations,
but this is fixed in 2.2.1.

Comment 2 Trond Eivind Glomsrxd 2001-06-19 14:19:35 UTC
Where are those pam parameters documented?

Comment 3 Trond Eivind Glomsrxd 2001-08-09 03:50:59 UTC

Comment 4 Andrew Bartlett 2001-08-09 09:07:11 UTC
Sorry about the lack of reply, both are documented in the smb.conf man-page in
Samba 2.2.1.

I'm also looking at other various PAM things as part of my AuthRewrite,
currently in progress of being written for/merged into the HEAD branch.

Comment 5 Trond Eivind Glomsrxd 2001-08-09 18:46:33 UTC
2.2.1a-3 (and a couple of earlier releases in the 2.2 series) are built with

Comment 6 Andrew Bartlett 2001-08-10 11:34:17 UTC
I'm not quite sure what you mean here.  All Samba RPMs have (AFAIK) been built
--with-pam since at least RH 5.2.  

When built --with-pam more recent samba versions will also check that
acocunts/passwords have not expired and that they pass the 'session' module. 
This aditionall functionality is automaticly available, but is controlled by the
'obey pam restrictions' paramater for backwards compatability.

I strongly recommend that RedHat enable 'obey pam restrictions' in its defualt
configuration to ensure consistancy of policy between applications.

At some future date --with-pam will no longer be required, and we will pick up
the functionality from the autoconf data.

Comment 7 Trond Eivind Glomsrxd 2001-08-13 02:03:36 UTC
I'll add it to the file - it may be commented out, to avoid introducing change
right now.

Comment 8 Trond Eivind Glomsrxd 2001-08-13 20:03:47 UTC
samba-2.2.1a-4 contains a section explaining the directive, but the directive is
commented out as samba now defaults to encrypted passwords.

Comment 9 Andrew Bartlett 2001-08-13 21:01:17 UTC
Just to make it clear, the new PAM code was specificly written to be used when
encrypted passwords = yes, in the same way that OpenSSH uses PAM despite
public-key authentication. (OpenSSH was the inspiration behind the work).

Also, look into the 'pam password chat' paramater, which does the same thing as
the old code, but without all the issues of actually 'chatting' over a tty.  I
my opinion is much more likaly to work 'out of the box' without doing stupid
things like changing root's password or the like.

Comment 10 Trond Eivind Glomsrxd 2001-08-13 21:10:51 UTC
The docs say "Note that Samba always ignores PAM for  authentica-tion  in  the
case of encrypt passwords = yes". Anyway, it's there now and with the section
from the smb.conf man page above it.

Comment 11 Andrew Bartlett 2001-08-13 21:36:56 UTC
BTW, you will need to make sure your PAM control files catch up with the change
to get the extra session and password entries.  (Having the extra entires will
have NO adverse effect without the code enabled within samba, so its a safe

Comment 12 Andrew Bartlett 2001-09-08 08:51:52 UTC
Bug reopend:  The PAM control files still need updating, see the sample
samba.pamd.stack in our tree (packaging/RedHat) for what I mean.

Remember, that while PAM is well-known for checking passwords it can also
verifiy account status and manange session limits.  The comment in the man-page
refers to *authenticaion* not to account and session management.

Andrew Bartlett

Comment 13 Trond Eivind Glomsrxd 2001-11-29 23:53:17 UTC
samba-2.2.2-8 has the rest of these changes enabled.