pam_adduser ?

Cal Heldenbrand heldenca at mnstate.edu
Fri Jul 30 21:18:35 UTC 2004 

> I never did see a response.  I've got one module that will 
> fork()&exec()  the add user script (security hole it is), but I would 
> suggest building a module from scratch.
>
Yeah, that is a complete possibility, and I've already written up a 
quick pam_runscript.so, for testing, but it's a pretty cheap hack and I 
don't really want to exec() some random script for security purposes.  
(this is a production system)

> Samba only uses PAM if the password is supplied in plain-text - 
> meaning most Windows installations, by default, won't use PAM.
>
I don't know about that one...  I've been doing so much testing back & 
forth the past week, but I do remember adding a pam_mkhomedir into 
/etc/pam.d/samba for 'session' and I think it worked OK.  (and I'm using 
encrypted passwords)

> One question is : when using PAM, does the Samba suite call 
> pam_open_session()? functions?  If so, it is possible to do an 
> immediate clean up once verified in either the pam_open_session() or 
> pam_close_session().

Yes, it does, but *when* it calls these functions is a bit of a 
mystery.  Since I'm not actually mounting shares from this system, I 
think that 'session' will not even be called.  I'm just hitting it for 
domain authentications... but I'd really have to test more to double 
check all of what I just said.

I guess this issue really isn't that big of a deal anymore -- I've 
decided to take the easy way out and write up some scripts to take care 
of /etc/passwd entries with /dev/null homes and /bin/false shells.

So...  thanks for the input, but from the work I went through for this 
I'd rather just drop it and just whip up some quick scripts.  :-)

If anyone else has had, or, will have, this same problem, maybe 
pam_mkhomedir could be added with a pam_sm_authenticate() with some 
extra features like /etc/passwd entries, etc...   If the developer for 
that module is listening.  ;-)

Thanks again!

--Cal


> Joe
>
> Cal Heldenbrand wrote:
>
>> Hi everyone,
>>
>> I'm working on a project where a box is remotely
>> authenticating with PAM against a large user database,
>> and this box acts as a Samba PDC / winbind /
>> authentication server for a local department.
>>
>> I've talked a bit with the Samba list, and I didn't
>> really get anything usefull back from them -- one of
>> the annoying things w/ Samba, is that it *requires* a
>> local /etc/passwd entry when 'security = user'.  I can
>> see why this would be a nice sanity check, but this
>> machine does not serve homes, or any other partitions,
>> it will not be a shell box, or anything else... strictly domain 
>> authentication with smb encrypted
>> passwords.
>>
>> The master database that I'm authenticating against
>> has around 8000+ users, plus, is dynamically changing.
>>  I need a way to on-the-fly add / remove /etc/passwd
>> entries (and not using winbind -- this is a winbind
>> server)
>>
>> So, my main question to everyone is:  Is there some
>> sort of pam_adduser that works with the 'auth'
>> management group that will add /etc/passwd entries?
>>
>> Thanks for your help!
>>
>> --Cal Heldenbrand
>>
>>
>>
>>        
>> __________________________________
>> Do you Yahoo!?
>> Yahoo! Mail Address AutoComplete - You start. We finish.
>> http://promotions.yahoo.com/new_mail
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list