Red Hat Bugzilla – Bug 31351
[PATCH] Account and Session PAM support for samba
Last modified: 2007-04-18 12:32:06 EDT
My patch (located at
http://samba.org/cgi-bin/samba-patches/incoming?id=233;user=guest) adds PAM
session support for all logins, and account support for both encrypted and
It may well be too late for this RedHat relase, and I was hoping to get it
tested more - but here it is anyway.
Note that this patch is over raw 2.0.7, and that it conflicts with the
current PAM modifications.
Samba 2.2.0 shipped with PAM password account support. Samba 2.2.1 will ship
with PAM password, account, session and password support. They can be enabled
with 'obey pam restrictions = yes' and 'pam password change = yes'.
Note that the 2.2.0 release broke domain logons with some PAM configurations,
but this is fixed in 2.2.1.
Where are those pam parameters documented?
Sorry about the lack of reply, both are documented in the smb.conf man-page in
I'm also looking at other various PAM things as part of my AuthRewrite,
currently in progress of being written for/merged into the HEAD branch.
2.2.1a-3 (and a couple of earlier releases in the 2.2 series) are built with
I'm not quite sure what you mean here. All Samba RPMs have (AFAIK) been built
--with-pam since at least RH 5.2.
When built --with-pam more recent samba versions will also check that
acocunts/passwords have not expired and that they pass the 'session' module.
This aditionall functionality is automaticly available, but is controlled by the
'obey pam restrictions' paramater for backwards compatability.
I strongly recommend that RedHat enable 'obey pam restrictions' in its defualt
configuration to ensure consistancy of policy between applications.
At some future date --with-pam will no longer be required, and we will pick up
the functionality from the autoconf data.
I'll add it to the file - it may be commented out, to avoid introducing change
samba-2.2.1a-4 contains a section explaining the directive, but the directive is
commented out as samba now defaults to encrypted passwords.
Just to make it clear, the new PAM code was specificly written to be used when
encrypted passwords = yes, in the same way that OpenSSH uses PAM despite
public-key authentication. (OpenSSH was the inspiration behind the work).
Also, look into the 'pam password chat' paramater, which does the same thing as
the old code, but without all the issues of actually 'chatting' over a tty. I
my opinion is much more likaly to work 'out of the box' without doing stupid
things like changing root's password or the like.
The docs say "Note that Samba always ignores PAM for authentica-tion in the
case of encrypt passwords = yes". Anyway, it's there now and with the section
from the smb.conf man page above it.
BTW, you will need to make sure your PAM control files catch up with the change
to get the extra session and password entries. (Having the extra entires will
have NO adverse effect without the code enabled within samba, so its a safe
Bug reopend: The PAM control files still need updating, see the sample
samba.pamd.stack in our tree (packaging/RedHat) for what I mean.
Remember, that while PAM is well-known for checking passwords it can also
verifiy account status and manange session limits. The comment in the man-page
refers to *authenticaion* not to account and session management.
samba-2.2.2-8 has the rest of these changes enabled.