On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote: > Greetings all, > > I'm working on attempting to get SAMBA to work with a product line > called CryptoCard. I *should* be able to get it to work one of two ways, > either through the use of CryptoCard's provided PAM module, or through > RADIUS authentication. > > Currently, I cannot seem to get PAM authentication to work at all. This > is what is in the 'samba' file for PAM: > auth required /lib/security/pam_cap_auth.so > server=<insertSERVERipHERE>:624 noeus debug echo > auth requires /lib/security/pam_nologin.so > account required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_permit.so > session required /lib/security/pam_stack.so service=system-auth > session optional /lib/security/pam_console.so > password required /lib/security/pam_stack.so service=system-auth > > And for the smb.conf file I have the all important setting of 'encrypt > passwords = No' to enable PAM authentication > > When attempting to authenticate locally, from the server to the server, > I get: > smbclient -U rhandorf -L \\\\localhost > Password: > session setup failed: NT_STATUS_UNSUCCESSFUL > > and in the error logs I get: > [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535) > smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf > [2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810) > smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
You need a lot more logs. What I can't understand is how you are supposed to pass credential authentication via smbclient, are you sending the Smartcard PIN in the clear over the wire? > I've looked around to see whether or not SAMBA supports RADIUS > Authentication, and I havent seen any documentation that totally says > 'yes.' No. Makes no sense to support any clear text based authentication except for the historical support for PAM with clear text passwords. > Asking the vendor yielded the response of "SAMBA then isnt PAM aware; > We'd like to support it, but until it is PAM aware we wont." As you can see we call the PAM stack, tell your vendor to try harder :-) > Any help would be great. I don't think PAM is the way to support SmartCard authentication via Samba. Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
