The pam_pwdb modules check a user's credentials against /etc/passwd, the system password database. Our goal is to modify the authentication process so that the system will instead authenticate users against the DC. Add the following configuration line after the pam_securetty.so entry:
auth sufficient
/lib/security/pam_smb_auth.so debug
This configuration line specifies that this authentication service use the auth keyword. The sufficient keyword informs PAM that if pam_smb accepts a user's credentials, that action is sufficient for allowing access. Because you've left the pam_pwdb entry intact, if pam_smb rejects the user's credentials, PAM will request that pam_pwdb perform its own check. (This step is necessary if, for example, you want to let the system's administrative user, root, log on if the system can't access the network.) The debug parameter specifies that pam_smb log all authentication attempts, successful or not, to syslog. Typically, you'll find this output in /var/log/secure or /var/log/message. After you're sure pam_smb is working, you can remove this parameter.
For newer Red Hat Linux releases (e.g., version 7.2), in which you install pam_smb by source and not by using RPM, the /etc/pam.d/login configuration file will look a little different because Red Hat Linux 7.2's PAM configuration is slightly different from Red Hat Linux 6.0's configuration. Regardless, you'll use the same method to configure Telnet to use logons for Windows accounts. Simply add the pam_smb configuration line immediately after the pam_securetty.so entry. The modified configuration file will be similar to Listing 2.
You've now configured pam_smb and PAM. Although Linux will now authenticate users against your DCs, users must have local accounts. To meet that need, create a user on the system that corresponds to the Windows account. For example, if a user named john is going to log on, create the same user on the system:
# useradd john
This step isn't strictly necessary; pam_smb has an optional feature that authenticates users who don't have local system accounts. However, this feature is primarily for use by services that need to authenticate users without giving them interactive access to the system. Because our users need interactive access, this option doesn't apply.
Think of the Possibilities
After you install pam_smb, users can easily and efficiently log on to your Linux servers. You should now be ready to configure other services, such as SSH and FTP, to use pam_smb.
Any system that allows centralized authentication requires users to remember fewer passwords. The passwords users choose can be more complex, and thus, more secure. In addition, because pam_smb is open source, you can modify its code to suit your environment, extend the utility's abilities, and further organize your logon capabilities.
Systems administrators who use pam_smb might be concerned about its reliance on LANMAN. Even when LANMAN is encrypted, it isn't entirely safe from attack in a shared-network environment. However, comprehensive solutions are available that don't rely on LANMAN.
One such solution is Samba, which now offers Windows 2000 and Windows NT 4.0 directory integration. To accomplish this integration, Samba uses a new service known as winbind, which works in conjunction with Linux's authentication subsystem. For more information about Samba and winbind, visit the Samba Web site at http://www.samba.org.
End of Article
)
pkarrel,pkarrel November 06, 2006 (Article Rating: