Thanks Simo for your response. I'm working with the vendor a little
more. Here are the details on the PAM error's.
[2006/09/19 07:56:48, 4] auth/pass_check.c:pass_check(621)
pass_check: Checking (PAM) password for user rhandorf (l=6)
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_auth(510)
smb_pam_auth: PAM: Authenticate User: rhandorf
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_auth(535)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
[2006/09/19 07:56:48, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Authentication Failure : Module is unknown
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_passcheck(810)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
The only other authentication method that they support then is RADIUS,
which is clear text as well. Which one does everyone suggest I then try
to tackle with SAMBA support? PAM or RADIUS?
Thanks again,
r
Simo Sorce wrote:
On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
Greetings all,
I'm working on attempting to get SAMBA to work with a product line
called CryptoCard. I *should* be able to get it to work one of two ways,
either through the use of CryptoCard's provided PAM module, or through
RADIUS authentication.
Currently, I cannot seem to get PAM authentication to work at all. This
is what is in the 'samba' file for PAM:
auth required /lib/security/pam_cap_auth.so
server=<insertSERVERipHERE>:624 noeus debug echo
auth requires /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_permit.so
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
password required /lib/security/pam_stack.so service=system-auth
And for the smb.conf file I have the all important setting of 'encrypt
passwords = No' to enable PAM authentication
When attempting to authenticate locally, from the server to the server,
I get:
smbclient -U rhandorf -L \\\\localhost
Password:
session setup failed: NT_STATUS_UNSUCCESSFUL
and in the error logs I get:
[2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
[2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
You need a lot more logs.
What I can't understand is how you are supposed to pass credential
authentication via smbclient, are you sending the Smartcard PIN in the
clear over the wire?
I've looked around to see whether or not SAMBA supports RADIUS
Authentication, and I havent seen any documentation that totally says
'yes.'
No. Makes no sense to support any clear text based authentication except
for the historical support for PAM with clear text passwords.
Asking the vendor yielded the response of "SAMBA then isnt PAM aware;
We'd like to support it, but until it is PAM aware we wont."
As you can see we call the PAM stack, tell your vendor to try harder :-)
Any help would be great.
I don't think PAM is the way to support SmartCard authentication via
Samba.
Simo.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
