I have a working winbind on my Radados server that let's Ubuntu Gutsy workstartions authenticate from the server. I works great. A user account that exists on the server with a home directory is able to login to Ubuntu with GDM and have a Gnome desktop and their home directory is mounted from the server, all is good.
The server has many shares that are being offered to users that are members of select groups. For example there is a group "accounting" and only users that are members of accounting can access it. Lets say I have a user named "lisa" and she is a member of "accounting". She has rights on the server to the "accounting files" share because she is a member of "accounting". Another server, let's call it SERVER_B, has a share that is also available to members of "accounting". SERVER_B has a smb.conf with read and write lists defined like so "write list = @"MYDOMAIN+accounting". This part works great. Lisa can login to any Gutsy system on the network, her home directory follows her aound and she can login to SERVER_B and access the share for "accounting" members. Anyone not a member of "accounting" cannot access the accounting share on SERVER_B. The "accounting" group is mapped using net groupmap. PAM is used on the Gutsy workstations to authenticate Lisa at login time by using winbind to call a challange to the Radados server for the authentication of the user. PAM is also doing this to mount Lisa's home directory using pam_mount. Lisa then opens nautilus to browes the network to access the accounting share on SERVER_B. Nautilus is linked to libsmbclient to access the SMB protocols. A pop-up dialog asks Lisa to enter her login name, domain name and account password to access the accounting share on SERVER_B. If she enters the data correctly she will be allowed into the share and denied if she does not. PAM already has the authentication information for the user. I want to find a way that I can make libsmbclient look to the PAM system for authentication before asking for the authentication data. I know libsmbclient is not actually showing the pop-up dialog, that comes from nautilus but libsmbclient is looking to see if it can access the share without authentication and if that fails it then asks for authentication information from the application, most likely with a call back function or a returned error code. I want libsmbclient to look for authentication from PAM before going back to the application. I am unable to find any way to do this. I have been looking for a way to make a libsmbclient PAM config file but have not found any such thing. PAM is mostly a service for server side authentication control, meaning that PAM can be used to authenticate for the servers side of an action not the client side. For example PAM could be used for FTPD do authenticate incoming FTP requests but it cannot be setup to provide your authentication details to the FTP client program. PAM is mostly for server side because the documentation says it is for server side, but pam_mount is a client side example of how it can be used for client side authentications. pam_mount is setup to mount the users home directory from the server and it works. I don't know the relationship between PAM and the mounting of SMB shares but at some point it must go through libsmbclient and PAM is holding the authentication data for the user. Once a user has been authenticated and they are into their desktop, they should be able to access all SMB domain services without being asked for their login and password again, unless it is a service that requires a different user name and password. I do not want a fix for nautilus because there are many other filemanagers and other programs that use libsmbclient. It maybe possible to use pam_env to store a global username and password but that would be dangerous. Advice please. -- You need music, music needs you; but the RIAA we'd all be better off without. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
