It seems I may be the first to try, but has anyone had any experience in setting up Samba as a PDC then using the OPIE modules for PAM to try and setup an NT domain that requires one time passwords? Now that you've all answered no, here's where I'm at. Samba is up and running as a PDC and functioning using /etc/passwd and unencrypted passwords, that part I know is good. After switching pam_opie.so to required from sufficient things fall apart and authentication no longer works. However the catch is I know PAM is passing things off to the opie module and that it is succeeding because /etc/opiekeys shows the sequence number decreasing which would not happen had authentication not succeeded. Turning on debugging for Samba shows a basic password type failure: [2002/01/17 21:49:34, 0] passdb/pampass.c:smb_pam_passcheck(828) smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User flemming ! I'm not sure where to go with this since it is kind of obscure, but the individual components are nothing too odd and putting them together should just work. The silly part is it looks like it is working and the problem is internal to Samba. Any thoughts or tips are appreciated. Robert
Hi Robert, Samba doesn't use the pam modules for unencrypted password authentication UNLESS you configure/make samba with the option --with-pam. Otherwise, it just gets the password entry via getpwnam/getpwent and uses crypt/bigcrypt to one way encrypt the plaintext password it is passed and compare it with what comes back from getpwent/getpwnam... So the minimum you'd need to get this working is to remove the config.cache, and rerun configure --with-pam and do another make to get new binaries. There may be other subtlies I am not aware of as well... Hope this helps, Don -----Original Message----- From: Robert Flemming [mailto:flemming@spiralout.net] Sent: Thursday, January 17, 2002 5:13 PM To: samba@lists.samba.org Subject: PAM w/ OPIE It seems I may be the first to try, but has anyone had any experience in setting up Samba as a PDC then using the OPIE modules for PAM to try and setup an NT domain that requires one time passwords? Now that you've all answered no, here's where I'm at. Samba is up and running as a PDC and functioning using /etc/passwd and unencrypted passwords, that part I know is good. After switching pam_opie.so to required from sufficient things fall apart and authentication no longer works. However the catch is I know PAM is passing things off to the opie module and that it is succeeding because /etc/opiekeys shows the sequence number decreasing which would not happen had authentication not succeeded. Turning on debugging for Samba shows a basic password type failure: [2002/01/17 21:49:34, 0] passdb/pampass.c:smb_pam_passcheck(828) smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User flemming ! I'm not sure where to go with this since it is kind of obscure, but the individual components are nothing too odd and putting them together should just work. The silly part is it looks like it is working and the problem is internal to Samba. Any thoughts or tips are appreciated. Robert -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Robert Flemming wrote:> > It seems I may be the first to try, but has anyone had any experience in > setting up Samba as a PDC then using the OPIE modules for PAM to try and setup > an NT domain that requires one time passwords?Will Not Work. Samba's PDC operation *requires* encrypted passwords, and therefore will not contact PAM during a domain logon. Feel free however to contribute an encrypted varient of OPIE for the auth subsystem. If you are acting as just a file-server it could work, but remember that many windows clients UPPER CASE the password prior to send, which just makes life miserable. Once you get the passsword to PAM however (and samba 'cracks' the password back into the correct case) it should work. Could you try this out with Samba HEAD - if there is an issue there I would like to look at it. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net