I need to allow [read] access to a Samba server using both IP filtering & UserIDs . For a given list of IP subnets, any user should have access. Outside these 'trusted' subnets, I need to do User authentication. I can handle the User authentication OK in several ways. However, I don't see any way to do the 'short circuit' allow for some IPs, then use User authentication after that. If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets are denied, & not allowed to try logging-in . Any ideas? I originally thought that PAM would give me this functionality, but now I don't see it. Is PAM at all popular for Samba 'authentication' ? Thanks.
On Sat, 2004-01-17 at 07:00, webster@lexmark.com wrote:> I need to allow [read] access to a Samba server using both IP filtering & > UserIDs . > > For a given list of IP subnets, any user should have access. > Outside these 'trusted' subnets, I need to do User authentication. > > I can handle the User authentication OK in several ways. > However, I don't see any way to do the 'short circuit' allow for some IPs, > then use User authentication after that. > If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets > are denied, & not allowed to try logging-in . > > Any ideas? > > I originally thought that PAM would give me this functionality, but now I > don't see it. > Is PAM at all popular for Samba 'authentication' ?You could set 'obey pam restrictions', and then write an 'account' module the enforced these restrictions. That assumes you want to always require passwords, but only allow some particular accounts from the untrusted IPs. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040121/9932529a/attachment.bin
Much thanks for the reply. Now, please tell me that this paragraph, from the description for 'obey pam restrictions' in smb.conf(5), is old (& false in Samba 3): "Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption." To: webster@lexmark.com cc: samba@lists.samba.org Subject: Re: [Samba] 'multi-layered' authentication On Sat, 2004-01-17 at 07:00, webster@lexmark.com wrote:> I need to allow [read] access to a Samba server using both IP filtering & > UserIDs . > > For a given list of IP subnets, any user should have access. > Outside these 'trusted' subnets, I need to do User authentication. > > I can handle the User authentication OK in several ways. > However, I don't see any way to do the 'short circuit' allow for someIPs,> then use User authentication after that. > If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets > are denied, & not allowed to try logging-in . > > Any ideas? > > I originally thought that PAM would give me this functionality, but now I > don't see it. > Is PAM at all popular for Samba 'authentication' ?You could set 'obey pam restrictions', and then write an 'account' module the enforced these restrictions. That assumes you want to always require passwords, but only allow some particular accounts from the untrusted IPs. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Thanks for the reply. I am missing something(s) here, & I apologize for that. You are saying that there is still no way to use PAM on a Samba server for authenticating WindowsXP (requires encrypted) clients? If that's the case, is there any way to do what I want? Are you saying to use Samba's 'smbpasswd' file, or something besides PAM, for the authentication, but use PAM for the user account restriction? Can I do encrypted authentication for Samba against an LDAP server which I don't control (anonymous bind) ? To: webster@lexmark.com cc: Andrew Bartlett <abartlet@samba.org>, samba@lists.samba.org Subject: Re: [Samba] 'multi-layered' authentication On Thu, 2004-01-22 at 10:34, webster@lexmark.com wrote:> Much thanks for the reply. > > > Now, please tell me that this paragraph, from the description for > 'obey pam restrictions' in smb.conf(5), is old (& false in Samba 3): > > "Note that Samba always ignores PAM for authentication in the case of > encrypt passwords = yes. The reason is that PAM modules cannot > support the challenge/response authentication mechanism needed > in the presence of SMB password encryption."This paragraph is correct (if slightly badly worded). We honour account and session modules, but not auth modules. 'pam password change' causes us to honer password modules, btw. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net On Sat, 2004-01-17 at 07:00, webster@lexmark.com wrote:> I need to allow [read] access to a Samba server using both IP filtering&> UserIDs . > > For a given list of IP subnets, any user should have access. > Outside these 'trusted' subnets, I need to do User authentication. > > I can handle the User authentication OK in several ways. > However, I don't see any way to do the 'short circuit' allow for someIPs,> then use User authentication after that. > If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets > are denied, & not allowed to try logging-in . > > Any ideas? > > I originally thought that PAM would give me this functionality, but nowI> don't see it. > Is PAM at all popular for Samba 'authentication' ?You could set 'obey pam restrictions', and then write an 'account' module the enforced these restrictions. That assumes you want to always require passwords, but only allow some particular accounts from the untrusted IPs. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Thanks for the reply. Sorry if I've not been clear on my requirements. For a given list of IP subnets, I need to allow everyone access. Outside this list, I need to do user authentication. Many of these clients are WinXP (& 2K), which requires using encrypted passwords. Ideally, I would authenticate against a 'corporate' LDAP server. No one is using a 'common' (with other apps) LDAP server to do encrypted Samba authentication? What are my practical choices for doing encrypted Samba authentication against? 1) smbpasswd, & 2) a Windows domain ? To: webster@lexmark.com cc: Andrew Bartlett <abartlet@samba.org>, samba@lists.samba.org Subject: Re: [Samba] 'multi-layered' authentication On Fri, 2004-01-23 at 10:20, webster@lexmark.com wrote:> Thanks for the reply. > I am missing something(s) here, & I apologize for that. > > You are saying that there is still no way to use PAM on a Samba > server for authenticating WindowsXP (requires encrypted) clients?Correct. This is a protocol limitation, it will 'still' be a problem forever.> If that's the case, is there any way to do what I want?That very much depends what you want, you have not been very clear on that point.> Are you saying to use Samba's 'smbpasswd' file, > or something besides PAM, for the authentication, > but use PAM for the user account restriction?Yes.> Can I do encrypted authentication for Samba against an LDAP server > which I don't control (anonymous bind) ?NO. -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net To: Andrew Bartlett <abartlet@samba.org> cc: samba@lists.samba.org Subject: Re: [Samba] 'multi-layered' authentication Thanks for the reply. I am missing something(s) here, & I apologize for that. You are saying that there is still no way to use PAM on a Samba server for authenticating WindowsXP (requires encrypted) clients? If that's the case, is there any way to do what I want? Are you saying to use Samba's 'smbpasswd' file, or something besides PAM, for the authentication, but use PAM for the user account restriction? Can I do encrypted authentication for Samba against an LDAP server which I don't control (anonymous bind) ? To: webster@lexmark.com cc: Andrew Bartlett <abartlet@samba.org>, samba@lists.samba.org Subject: Re: [Samba] 'multi-layered' authentication On Thu, 2004-01-22 at 10:34, webster@lexmark.com wrote:> Much thanks for the reply. > > > Now, please tell me that this paragraph, from the description for > 'obey pam restrictions' in smb.conf(5), is old (& false in Samba 3): > > "Note that Samba always ignores PAM for authentication in the case of > encrypt passwords = yes. The reason is that PAM modules cannot > support the challenge/response authentication mechanism needed > in the presence of SMB password encryption."This paragraph is correct (if slightly badly worded). We honour account and session modules, but not auth modules. 'pam password change' causes us to honer password modules, btw. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net On Sat, 2004-01-17 at 07:00, webster@lexmark.com wrote:> I need to allow [read] access to a Samba server using both IP filtering&> UserIDs . > > For a given list of IP subnets, any user should have access. > Outside these 'trusted' subnets, I need to do User authentication. > > I can handle the User authentication OK in several ways. > However, I don't see any way to do the 'short circuit' allow for someIPs,> then use User authentication after that. > If I do a 'deny', in the InetD or in Samba, then the 'untrusted' subnets > are denied, & not allowed to try logging-in . > > Any ideas? > > I originally thought that PAM would give me this functionality, but nowI> don't see it. > Is PAM at all popular for Samba 'authentication' ?You could set 'obey pam restrictions', and then write an 'account' module the enforced these restrictions. That assumes you want to always require passwords, but only allow some particular accounts from the untrusted IPs. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net