pam_adduser ?
Cal Heldenbrand
heldenca at mnstate.edu
Fri Jul 30 21:18:35 UTC 2004
> I never did see a response. I've got one module that will
> fork()&exec() the add user script (security hole it is), but I would
> suggest building a module from scratch.
>
Yeah, that is a complete possibility, and I've already written up a
quick pam_runscript.so, for testing, but it's a pretty cheap hack and I
don't really want to exec() some random script for security purposes.
(this is a production system)
> Samba only uses PAM if the password is supplied in plain-text -
> meaning most Windows installations, by default, won't use PAM.
>
I don't know about that one... I've been doing so much testing back &
forth the past week, but I do remember adding a pam_mkhomedir into
/etc/pam.d/samba for 'session' and I think it worked OK. (and I'm using
encrypted passwords)
> One question is : when using PAM, does the Samba suite call
> pam_open_session()? functions? If so, it is possible to do an
> immediate clean up once verified in either the pam_open_session() or
> pam_close_session().
Yes, it does, but *when* it calls these functions is a bit of a
mystery. Since I'm not actually mounting shares from this system, I
think that 'session' will not even be called. I'm just hitting it for
domain authentications... but I'd really have to test more to double
check all of what I just said.
I guess this issue really isn't that big of a deal anymore -- I've
decided to take the easy way out and write up some scripts to take care
of /etc/passwd entries with /dev/null homes and /bin/false shells.
So... thanks for the input, but from the work I went through for this
I'd rather just drop it and just whip up some quick scripts. :-)
If anyone else has had, or, will have, this same problem, maybe
pam_mkhomedir could be added with a pam_sm_authenticate() with some
extra features like /etc/passwd entries, etc... If the developer for
that module is listening. ;-)
Thanks again!
--Cal
> Joe
>
> Cal Heldenbrand wrote:
>
>> Hi everyone,
>>
>> I'm working on a project where a box is remotely
>> authenticating with PAM against a large user database,
>> and this box acts as a Samba PDC / winbind /
>> authentication server for a local department.
>>
>> I've talked a bit with the Samba list, and I didn't
>> really get anything usefull back from them -- one of
>> the annoying things w/ Samba, is that it *requires* a
>> local /etc/passwd entry when 'security = user'. I can
>> see why this would be a nice sanity check, but this
>> machine does not serve homes, or any other partitions,
>> it will not be a shell box, or anything else... strictly domain
>> authentication with smb encrypted
>> passwords.
>>
>> The master database that I'm authenticating against
>> has around 8000+ users, plus, is dynamically changing.
>> I need a way to on-the-fly add / remove /etc/passwd
>> entries (and not using winbind -- this is a winbind
>> server)
>>
>> So, my main question to everyone is: Is there some
>> sort of pam_adduser that works with the 'auth'
>> management group that will add /etc/passwd entries?
>>
>> Thanks for your help!
>>
>> --Cal Heldenbrand
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> Yahoo! Mail Address AutoComplete - You start. We finish.
>> http://promotions.yahoo.com/new_mail
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list