[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Win2000 PDC Authentication and Authorization



On Tue, Jan 28, 2003 at 11:07:48AM -0600, Mike Renfro wrote:

> We do that (PDC serving Windows, Solaris, and Linux clients) with
> pam_smb.

Since someone asked, here's our basic setup. It may be of use to
someone else, or I might get a full security audit from others more
experienced:

=====

Authenticating Solaris and GNU/Linux Users from an NT4.0 PDC

Given

   2 Solaris 2.7 workstations, 2 Solaris 2.8 workstations, 1 Debian
   GNU/Linux workstation, 1 large Windows NT 4.0 domain

Required

   Networked authentication database for all machines.

Restrictions

   Nothing horribly insecure (like NIS), no changes required on NT
   machines (like NISGINA or a Samba PDC).

Solution (Solaris)

   pam_ntdom (pluggable authentication module for NT domains), Samba
   2.0.x (only for utilities, not running as a network service).
    1. On the PDC, add one computer per Solaris system onto the domain.
       Make them regular workstations, not BDCs.
    2. Compile and install Samba 2.0.x (we used 2.0.7, as of May 9, 2001,
       Samba 2.2.x was not compatible with this procedure). All samba
       files live in /usr/local/samba -- might need to create
       /usr/local/samba/private, too.
    3. Edit /usr/local/samba/lib/smb.conf -- the global section should
       contain:
     workgroup = YOURDOMAIN
     security = server
     password server = PDCNAME
     local master = no
     os level = 0
     domain controller = PDCNAME
     wins support = no
     wins server = YOUR.WINS-SERVER.IP.ADDRESS
    4. Since we won't actually be running any of the Samba daemons, the
       rest of the file should be irrelevant. In fact, even this section
       is probably irrelevant, since all we need to do is make a machine
       account on the PDC and set up a trust relationship between the PDC
       and the Solaris system.
    5. On the Solaris system, as root, run smbpasswd -j DOMAIN -r PDCNAME
       -- this will set up a trust relationship between the PDC and the
       Solaris system.
    6. Copy /usr/local/samba/private/DOMAIN.SOLARISNAME.mac to
       /etc/security -- the whole /usr/local/samba directory could be
       deleted now, if necessary.
    7. Compile pam_ntdom 0.24 (pulled source code from CVS, no tar
       archives publicly available).
    8. Copy pam_ntdom_auth.so to /usr/lib/security
    9. Edit /etc/pam_smb.conf as follows:
     YOURDOMAIN
     YOURPDC
     YOURBDC
   10. Edit /etc/pam.conf to allow authentication via pam_ntdom -- find
       the stanza that reads:
     other   auth required   /usr/lib/security/pam_unix.so.1
   11. Change it to:
     other   auth sufficient /usr/lib/security/pam_unix.so.1
     other   auth required   /usr/lib/security/pam_ntdom_auth.so
   12. This is enough to allow ssh access authenticated by pam_ntdom. If
       you want to allow local console logins by the same method, you'll
       have to edit the login auth and dtlogin auth entries similarly.
   13. For any users who need access to the Solaris machines, add dummy
       accounts with disabled passwords. In our case:
     useradd -d HOMEDIR -g GROUP -s SHELL -u UID USERNAME

Solution (Debian)

   apt-get install libpam-smb, then edit /etc/pam_smb.conf as in Solaris
   step 9. Edit any config files in /etc/pam.d you want to be SMB-aware,
   changing
  auth  required    pam_unix.so

   to
  auth  sufficient  pam_unix.so
  auth  required    pam_smb_auth.so

   And the useradd command becomes something like:
/usr/sbin/useradd -d HOMEDIR -g GROUP -s SHELL -p '*NP*' -u UID USERNAME

   The reason for the change from the Solaris useradd command (the -p
   flag) is that if we allow useradd to place a * character in the
   password field, one of the other pam modules denies access. That same
   module checks for NIS capabilities by assuming that a password entry
   of *NP* means that an NIS server is present, and allows authentication
   to continue.

Bugs

   Solaris 7 (and most Unixes) might only examine the first 8 characters
   of any given username. [1]This comp.unix.solaris thread from 1997
   indicates that long usernames might in fact work flawlessly for the
   vast majority of Solaris utilities, but it's not supported. Programs
   compiled with utmp.h instead of utmpx.h might also have problems.

   Last updated: 2002/06/26 4:01 PM

References

   1. http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=f71e0b0751934467,8

=====

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []