|Summary:||[PATCH] Account and Session PAM support for samba|
|Product:||[Retired] Red Hat Raw Hide||Reporter:||Andrew Bartlett <abartlet>|
|Component:||samba||Assignee:||Trond Eivind Glomsrxd <teg>|
|Status:||CLOSED RAWHIDE||QA Contact:||David Lawrence <dkl>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2001-09-08 08:51:57 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Andrew Bartlett 2001-03-10 07:28:56 UTC
My patch (located at http://samba.org/cgi-bin/samba-patches/incoming?id=233;user=guest) adds PAM session support for all logins, and account support for both encrypted and plain-text logins. It may well be too late for this RedHat relase, and I was hoping to get it tested more - but here it is anyway. Note that this patch is over raw 2.0.7, and that it conflicts with the current PAM modifications.
Comment 1 Andrew Bartlett 2001-05-05 08:43:07 UTC
Samba 2.2.0 shipped with PAM password account support. Samba 2.2.1 will ship with PAM password, account, session and password support. They can be enabled with 'obey pam restrictions = yes' and 'pam password change = yes'. Note that the 2.2.0 release broke domain logons with some PAM configurations, but this is fixed in 2.2.1.
Comment 2 Trond Eivind Glomsrxd 2001-06-19 14:19:35 UTC
Where are those pam parameters documented?
Comment 3 Trond Eivind Glomsrxd 2001-08-09 03:50:59 UTC
Comment 4 Andrew Bartlett 2001-08-09 09:07:11 UTC
Sorry about the lack of reply, both are documented in the smb.conf man-page in Samba 2.2.1. I'm also looking at other various PAM things as part of my AuthRewrite, currently in progress of being written for/merged into the HEAD branch.
Comment 5 Trond Eivind Glomsrxd 2001-08-09 18:46:33 UTC
2.2.1a-3 (and a couple of earlier releases in the 2.2 series) are built with "--with-pam".
Comment 6 Andrew Bartlett 2001-08-10 11:34:17 UTC
I'm not quite sure what you mean here. All Samba RPMs have (AFAIK) been built --with-pam since at least RH 5.2. When built --with-pam more recent samba versions will also check that acocunts/passwords have not expired and that they pass the 'session' module. This aditionall functionality is automaticly available, but is controlled by the 'obey pam restrictions' paramater for backwards compatability. I strongly recommend that RedHat enable 'obey pam restrictions' in its defualt configuration to ensure consistancy of policy between applications. At some future date --with-pam will no longer be required, and we will pick up the functionality from the autoconf data.
Comment 7 Trond Eivind Glomsrxd 2001-08-13 02:03:36 UTC
I'll add it to the file - it may be commented out, to avoid introducing change right now.
Comment 8 Trond Eivind Glomsrxd 2001-08-13 20:03:47 UTC
samba-2.2.1a-4 contains a section explaining the directive, but the directive is commented out as samba now defaults to encrypted passwords.
Comment 9 Andrew Bartlett 2001-08-13 21:01:17 UTC
Just to make it clear, the new PAM code was specificly written to be used when encrypted passwords = yes, in the same way that OpenSSH uses PAM despite public-key authentication. (OpenSSH was the inspiration behind the work). Also, look into the 'pam password chat' paramater, which does the same thing as the old code, but without all the issues of actually 'chatting' over a tty. I my opinion is much more likaly to work 'out of the box' without doing stupid things like changing root's password or the like.
Comment 10 Trond Eivind Glomsrxd 2001-08-13 21:10:51 UTC
The docs say "Note that Samba always ignores PAM for authentica-tion in the case of encrypt passwords = yes". Anyway, it's there now and with the section from the smb.conf man page above it.
Comment 11 Andrew Bartlett 2001-08-13 21:36:56 UTC
BTW, you will need to make sure your PAM control files catch up with the change to get the extra session and password entries. (Having the extra entires will have NO adverse effect without the code enabled within samba, so its a safe move);
Comment 12 Andrew Bartlett 2001-09-08 08:51:52 UTC
Bug reopend: The PAM control files still need updating, see the sample samba.pamd.stack in our tree (packaging/RedHat) for what I mean. Remember, that while PAM is well-known for checking passwords it can also verifiy account status and manange session limits. The comment in the man-page refers to *authenticaion* not to account and session management. Andrew Bartlett
Comment 13 Trond Eivind Glomsrxd 2001-11-29 23:53:17 UTC
samba-2.2.2-8 has the rest of these changes enabled.