Greetings all,
not being able to get PAM to work correctly, I then tried their RADIUS
server approach. I am now getting closer to success with this problem. I
see the RADIUS traffic push and pull; it authenticates successfully once
and then, on a second authentication attempt, fails (as the card
sequence most likely changed).
Below is what I am entering at the CLI, and am now getting output:
fileserver:/etc/pam.d# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[<snip>]
Sharename Type Comment
--------- ---- -------
homes Disk
public Disk
IPC$ IPC IPC Service
ADMIN$ IPC IPC Service
rhandorf Disk Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available
and in the auth.log
Sep 22 09:03:46 localhost smbd[9625]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=samba ruser= rhost=127.0.0.1 user=rhandorf
the samba pam file contains the following:
auth sufficient pam_radius_auth.so debug conf=/etc/raddb/server
auth required pam_unix.so nullok_secure
account required pam_unix.so
session required pam_unix.so
Windows always reports back with "\\fileserver is not accessible. You
might not have permission to use this network resource..." error.
Any idea's as to how I can attack this one?
Thanks again all,
r
Russell Handorf wrote:
Thanks Simo for your response. I'm working with the vendor a little
more. Here are the details on the PAM error's.
[2006/09/19 07:56:48, 4] auth/pass_check.c:pass_check(621)
pass_check: Checking (PAM) password for user rhandorf (l=6)
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: rhandorf
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_auth(510)
smb_pam_auth: PAM: Authenticate User: rhandorf
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_auth(535)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
[2006/09/19 07:56:48, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Authentication Failure : Module is unknown
[2006/09/19 07:56:48, 0] auth/pampass.c:smb_pam_passcheck(810)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rhandorf !
[2006/09/19 07:56:48, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
The only other authentication method that they support then is RADIUS,
which is clear text as well. Which one does everyone suggest I then
try to tackle with SAMBA support? PAM or RADIUS?
Thanks again,
r
Simo Sorce wrote:
On Tue, 2006-09-19 at 09:59 -0400, Russell Handorf wrote:
Greetings all,
I'm working on attempting to get SAMBA to work with a product line
called CryptoCard. I *should* be able to get it to work one of two
ways, either through the use of CryptoCard's provided PAM module, or
through RADIUS authentication.
Currently, I cannot seem to get PAM authentication to work at all.
This is what is in the 'samba' file for PAM:
auth required /lib/security/pam_cap_auth.so
server=<insertSERVERipHERE>:624 noeus debug echo
auth requires /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_permit.so
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
password required /lib/security/pam_stack.so service=system-auth
And for the smb.conf file I have the all important setting of
'encrypt passwords = No' to enable PAM authentication
When attempting to authenticate locally, from the server to the
server, I get:
smbclient -U rhandorf -L \\\\localhost
Password:
session setup failed: NT_STATUS_UNSUCCESSFUL
and in the error logs I get:
[2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_auth(535)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user rhandorf
[2006/09/18 13:42:36, 0] auth/pampass.c:smb_pam_passcheck(810)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User
rhandorf !
You need a lot more logs.
What I can't understand is how you are supposed to pass credential
authentication via smbclient, are you sending the Smartcard PIN in the
clear over the wire?
I've looked around to see whether or not SAMBA supports RADIUS
Authentication, and I havent seen any documentation that totally
says 'yes.'
No. Makes no sense to support any clear text based authentication except
for the historical support for PAM with clear text passwords.
Asking the vendor yielded the response of "SAMBA then isnt PAM
aware; We'd like to support it, but until it is PAM aware we wont."
As you can see we call the PAM stack, tell your vendor to try harder :-)
Any help would be great.
I don't think PAM is the way to support SmartCard authentication via
Samba.
Simo.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
