I have a working winbind on my Radados server that let's Ubuntu Gutsy
workstartions authenticate from the server. I works great. A user account
that exists on the server with a home directory is able to login to Ubuntu
with GDM and have a Gnome desktop and their home directory is mounted from
the server, all is good.
The server has many shares that are being offered to users that are members
of select groups. For example there is a group "accounting" and only
users
that are members of accounting can access it. Lets say I have a user named
"lisa" and she is a member of "accounting". She has rights
on the server to
the "accounting files" share because she is a member of
"accounting".
Another server, let's call it SERVER_B, has a share that is also available
to members of "accounting". SERVER_B has a smb.conf with read and
write
lists defined like so "write list = @"MYDOMAIN+accounting". This
part works
great. Lisa can login to any Gutsy system on the network, her home directory
follows her aound and she can login to SERVER_B and access the share for
"accounting" members. Anyone not a member of "accounting"
cannot access the
accounting share on SERVER_B. The "accounting" group is mapped using
net
groupmap.
PAM is used on the Gutsy workstations to authenticate Lisa at login time by
using winbind to call a challange to the Radados server for the
authentication of the user. PAM is also doing this to mount Lisa's home
directory using pam_mount. Lisa then opens nautilus to browes the network to
access the accounting share on SERVER_B. Nautilus is linked to libsmbclient
to access the SMB protocols. A pop-up dialog asks Lisa to enter her login
name, domain name and account password to access the accounting share on
SERVER_B. If she enters the data correctly she will be allowed into the
share and denied if she does not.
PAM already has the authentication information for the user. I want to find
a way that I can make libsmbclient look to the PAM system for authentication
before asking for the authentication data. I know libsmbclient is not
actually showing the pop-up dialog, that comes from nautilus but
libsmbclient is looking to see if it can access the share without
authentication and if that fails it then asks for authentication information
from the application, most likely with a call back function or a returned
error code. I want libsmbclient to look for authentication from PAM before
going back to the application. I am unable to find any way to do this.
I have been looking for a way to make a libsmbclient PAM config file but
have not found any such thing. PAM is mostly a service for server side
authentication control, meaning that PAM can be used to authenticate for the
servers side of an action not the client side. For example PAM could be used
for FTPD do authenticate incoming FTP requests but it cannot be setup to
provide your authentication details to the FTP client program. PAM is mostly
for server side because the documentation says it is for server side, but
pam_mount is a client side example of how it can be used for client side
authentications. pam_mount is setup to mount the users home directory from
the server and it works. I don't know the relationship between PAM and the
mounting of SMB shares but at some point it must go through libsmbclient and
PAM is holding the authentication data for the user.
Once a user has been authenticated and they are into their desktop, they
should be able to access all SMB domain services without being asked for
their login and password again, unless it is a service that requires a
different user name and password.
I do not want a fix for nautilus because there are many other filemanagers
and other programs that use libsmbclient.
It maybe possible to use pam_env to store a global username and password but
that would be dangerous.
Advice please.
--
You need music, music needs you; but the RIAA we'd all be better off
without.
