Bug 31351
| Summary: | [PATCH] Account and Session PAM support for samba | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Raw Hide | Reporter: | Andrew Bartlett <abartlet> |
| Component: | samba | Assignee: | Trond Eivind Glomsrxd <teg> |
| Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 1.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2001-09-08 08:51:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Bartlett
2001-03-10 07:28:56 UTC
Samba 2.2.0 shipped with PAM password account support. Samba 2.2.1 will ship with PAM password, account, session and password support. They can be enabled with 'obey pam restrictions = yes' and 'pam password change = yes'. Note that the 2.2.0 release broke domain logons with some PAM configurations, but this is fixed in 2.2.1. Where are those pam parameters documented? Ping? Sorry about the lack of reply, both are documented in the smb.conf man-page in Samba 2.2.1. I'm also looking at other various PAM things as part of my AuthRewrite, currently in progress of being written for/merged into the HEAD branch. 2.2.1a-3 (and a couple of earlier releases in the 2.2 series) are built with "--with-pam". I'm not quite sure what you mean here. All Samba RPMs have (AFAIK) been built --with-pam since at least RH 5.2. When built --with-pam more recent samba versions will also check that acocunts/passwords have not expired and that they pass the 'session' module. This aditionall functionality is automaticly available, but is controlled by the 'obey pam restrictions' paramater for backwards compatability. I strongly recommend that RedHat enable 'obey pam restrictions' in its defualt configuration to ensure consistancy of policy between applications. At some future date --with-pam will no longer be required, and we will pick up the functionality from the autoconf data. I'll add it to the file - it may be commented out, to avoid introducing change right now. samba-2.2.1a-4 contains a section explaining the directive, but the directive is commented out as samba now defaults to encrypted passwords. Just to make it clear, the new PAM code was specificly written to be used when encrypted passwords = yes, in the same way that OpenSSH uses PAM despite public-key authentication. (OpenSSH was the inspiration behind the work). Also, look into the 'pam password chat' paramater, which does the same thing as the old code, but without all the issues of actually 'chatting' over a tty. I my opinion is much more likaly to work 'out of the box' without doing stupid things like changing root's password or the like. The docs say "Note that Samba always ignores PAM for authentica-tion in the case of encrypt passwords = yes". Anyway, it's there now and with the section from the smb.conf man page above it. BTW, you will need to make sure your PAM control files catch up with the change to get the extra session and password entries. (Having the extra entires will have NO adverse effect without the code enabled within samba, so its a safe move); Bug reopend: The PAM control files still need updating, see the sample samba.pamd.stack in our tree (packaging/RedHat) for what I mean. Remember, that while PAM is well-known for checking passwords it can also verifiy account status and manange session limits. The comment in the man-page refers to *authenticaion* not to account and session management. Andrew Bartlett samba-2.2.2-8 has the rest of these changes enabled. |