I'm sponsoring this fast track for Rob Thurlow and the CIFS client
project team. It requests a Patch release binding and a Committed
interface taxonomy.
This case number and title were created as a placeholder during
PSARC/2005/695 - CIFS Client on Solaris for a case dependency.
The project team decided to change the actual PAM module name to
better align with other parts of the CIFS client project from
pam_smb_login as in the case title (and also in the CIFS client
opinion) to pam_smbfs_login. I'm leaving the case name the same
for reference purposes.
The pam_smbfs_login(5) man page and a diffmarked privileges(5)
man page are in the case directory.
The timer is set for 6 Feb, 2008.
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
==========
PSARC 2005/695, the CIFS client for Solaris, implements the
"smbutil login" subcommand to store a persistent password in
the kernel so that subsequent actions for an identity can be
performed without prompting for a password. This functionality
is meant for non-Kerberos sites. An example is:
ecu[2]% smbutil view //thurlow at nano
Password:
Share Type Comment
-------------------------------
netlogon disk Network Logon Service
ipc$ IPC IPC Service (Samba Server)
tmp disk Temporary file space
public disk Public Stuff
ethereal disk /export/ethereal
myshare disk Pavan's stuff
root disk Home Directories
7 shares listed from 7 available
ecu[3]% smbutil login
Password for WORKGROUP/THURLOW:
ecu[4]% smbutil login -c
Keychain entry exists.
ecu[5]% smbutil view //thurlow at nano
Share Type Comment
-------------------------------
netlogon disk Network Logon Service
ipc$ IPC IPC Service (Samba Server)
tmp disk Temporary file space
public disk Public Stuff
ethereal disk /export/ethereal
myshare disk Pavan's stuff
root disk Home Directories
7 shares listed from 7 available
In environments where Active Directory or Kerberos are not in use,
user names and passwords can be synchronized between CIFS servers
and Solaris clients. In such environments, it can be useful to
store the user's login password at login time.
Proposal:
========
This case proposes to add a PAM module, pam_smbfs_login(5), to
do this. Without a separate password prompt, it behaves as
if the "smbutil login" command above had been run, storing
the CIFS LM/NTLM hash[1] of the login password in the kernel.
The module will be documented, but not configured in /etc/pam.conf
by default.
Details:
=======
The default domain is computed based on $HOME/.nsmbrc or the SMF
settings from "sharectl get smbfs"; if neither is
available, the system default "WORKGROUP" is used. The password
is stored for the user name and corresponding UID logging in.
We are changing the name from what the initial case suggested
to be consistent with other naming in the project.
Since PAM is run as the root uid at login time and must supply a UID
other than its own to store a password for the user, it will require
the proc_owner privilege to store the password hashs.
pam_smbfs_login(5):
Is in the case directory.
privileges(5):
PRIV_PROC_OWNER
Allow a process to send signals to other processes and
inspect and modify the process state in other processes,
regardless of ownership. When modifying another process,
additional restrictions apply: the effective privilege
set of the attaching process must be a superset of the
target process's effective, permitted, and inheritable
sets; the limit set must be a superset of the target's
limit set; if the target process has any UID set to 0
all privilege must be asserted unless the effective UID
is 0. Allow a process to bind arbitrary processes to
CPUs.
+ If the CIFS client is configured, allows a process to set
+ CIFS password hashes regardless of ownership.
========
[1] See PSARC/2006/715/final.materials/cifs-design_1_1.pdf Appendix D for
LM/NTLM details.
