topic CIFS (samba 2.2.3a) +PAM(LDAP) in Operating System - HP-UX

CIFS (samba 2.2.3a) +PAM(LDAP)

Mark De Moor — Mon, 24 Jun 2002 12:42:27 GMT

Hi ,
I'am using cifs 9000 on HP-UX 11i (+ldap-ux) and have a few questions, i didn't find a clear answer for.

Does cifs 9000 (samba 2.2.3a) support PAM(-ldap) if using share-mode and plain-text passwords ?
Do i have to modify the pam.conf ?

The source is not included in the depot, according to the doc's it should be. Does HP provides it, or do i have to get it from samba-site, without HP's modifications then.

Is the compile-option --with-ldapsam allready supported ?

Kind regards
Mark De Moor

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

rainer doelker — Thu, 27 Jun 2002 11:22:16 GMT

Hi Mark,

as ldap-ux provides hpux-user-validation against a directory server by editing the /etc/pam.conf to use the libpam-ldap.1 (I think) This follows strictly that if you choose "security = user" in smb.conf for cifs along with "encrypt passwords = no" that a password is send to the unix-passwd-mechanism.

The only disadvantage is you need to hack the registry for each NT and Win2000 client to send a plain password AND this might be a security issue as well.

BUT unfortunately this is currently the only way.

Compiling the cifs-package with other options else than the ready package would mean - no support! (It would be a too large variety of options to test)

If you go to software.hp.com you'll find a new cifs A.01.08 package including the sources. That was a packaging mistake -- sorry for this.

hope this helped.
Rainer

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

Walter Jaeger — Thu, 27 Jun 2002 16:26:01 GMT

hy Mark,
CIFS/9000 Server and LDAP-UX works together without any Problems

LDAP-UX consists of 3 parts
- NSS_LDAP
- PAM_LDAP
- NIS-LDAP-Gateway

Samba only needs an anderlaying UNIX user account which can be provided by NSS_LDAP.
NSS_LDAP provides all Authorisation Information (UID, GID, Username, ...) like NIS, but without Authentication
Config file /etc/nsswitch.conf
Check tools for LDAP-Client Config:
- pwget -n
- pwget
- listusers
- id

because Samba has a own Authentication Mechanism (smbpasswd file), you don't need the PAM_LDAP
==> no editing of /etc/pam.conf
==> smb.conf "encrypt passwords = yes"
==> no Windows Registry Hack

Yes, CIFS/9000 server supports "Plain text passwds", but there are many disadvantages like no PDC-Support.

Best regards,
Walter Jaeger

Re: CIFS (samba 2.2.3a) +PAM(LDAP)

Mark De Moor — Mon, 01 Jul 2002 08:10:35 GMT

Tanx Rainer & Walter,

this was already helpfull, but I'am still a little confused.
Does it mean that if using
share-mode & no encryption
cifs is not using pam-...
but uses another mechanism, and only checks the /etc/passwd file ?

Most of our users still have a "hacked reg." to use samba-shares.
I know plain-text pw's is not very safe, but we need some time to switch to encrypted pw's and then keep the unix and windows/smb pw's synchronised.
Using an Active Directory is maybe a solution, but we don't like that very much, maybe SSOD can help...we'll see.

Well I'll download the new depot, so I'll have the source and can try some options at own risk of course.

Kind regards
Mark