Re: samba: authentication through pam?
On Fri, Apr 11, 2003 at 02:48:20AM -0700, Paul Johnson wrote:
> On Fri, Apr 11, 2003 at 01:41:33AM -0700, nate wrote:
> > yes but its probably not a good idea. In order for samba to use
> > PAM, you must disable password encryption on both the server AND
> > all the clients. This has to do with the way pam works, it doesn't
> > return the actual password that PAM recieved, it just returns a
> > response, so samba cannot recieve the encrypted password or something.
>
> Yuck...I'm amazed samba doesn't grok PAM...are there any SMB daemons
> that work with PAM in a sane manner?
Samba understands PAM about as well as any UNIX-based SMB server can. It
can even obey PAM restrictions on logon times and so forth. The problem
with authentication through PAM/NSS is that UNIX and Windows password
systems are fundamentally different and incompatible.
When you're using unencrypted passwords, the Windows machine sends the
cleartext password over the wire. The server can then use any local
authentication mechanism just like it would for telnet.
When you're on a Windows system using encrypted passwords, it takes the
password you enter and creates a hash on the workstation end. It then
sends the *hash* over the wire to the server, which also has a hash
stored. Windows doesn't use crypt() or md5 or some other hash used by
UNIX systems, it uses its own hash functions. Just like crypt/md5/etc,
you can't get from the NT hash back to the cleartext password. You're
left with two different hashes, and no way to get either one in to the
same form as the other. This is why it is necessary to have two
different password files (or multiple fields in an LDAP entry) when you
use encrypted passwords.
--
Michael Heironimus
Reply to: