I'm looking to create a "passdb backend" plugin so that Samba can authenticate with our existing custom authentication system. Though I haven't been able to locate any documentation on this, I believe it's possible (without modifying Samba proper) for the following reasons: - This project exists (though isn't being maintained and doesn't work with the current version): https://sourceforge.net/projects/pdbsql - When I set "passdb backend = foo" in smb.conf, my Samba logs show the following error: "No builtin nor plugin backend for foo found" Which indicates to me that it's at least looking for a plugin that it can use. I understand that it's more than just authentication. It's also a variety of other pieces of data that I'll need to store and be able to return. I'm wondering if documentation exists that can lead me in the right direction for how to get started on creating this.
Andrew Bartlett
2017-Mar-26 23:24 UTC
[Samba] Custom Authentication Plugin (passdb backend)
On Sat, 2017-03-25 at 19:30 -0700, Nick Coons via samba wrote:> I'm looking to create a "passdb backend" plugin so that Samba can > authenticate with our existing custom authentication system. Though > I > haven't been able to locate any documentation on this, I believe > it's > possible (without modifying Samba proper) for the following reasons: > > - This project exists (though isn't being maintained and doesn't work > with the current version): > https://sourceforge.net/projects/pdbsql > > - When I set "passdb backend = foo" in smb.conf, my Samba logs show > the > following error: > "No builtin nor plugin backend for foo found" > Which indicates to me that it's at least looking for a plugin that > it > can use. > > I understand that it's more than just authentication. It's also a > variety of other pieces of data that I'll need to store and be able > to > return. > > I'm wondering if documentation exists that can lead me in the right > direction for how to get started on creating this.Can you describe a little more your current custom authentication system and the capabilities it has? While we have built a pluggable auth and passdb system, creating and deploying custom backends has turned out to be much harder to execute in practice than originally expected. In particular, the auth subsystem only covers NTLM authentication, but not password chagnes nor machine account authentication (netlogon ServerAuthenticateX), and passdb has so many arms and lets it is quite difficult to implement (but more practical). Both require that you have access to the NT hash of the user's password (MD4(utf16_le(password)). If access to that is available, it may be more practical to present your existing DB in something that looks like our normal LDAP tree. Anyway, if you can discuss what you have and need we can see how we can help solve your problems. Thanks, Andrew Bartlett
Hi Andrew! On 03/26/2017 04:24 PM, Andrew Bartlett via samba wrote:> On Sat, 2017-03-25 at 19:30 -0700, Nick Coons via samba wrote: >> I'm looking to create a "passdb backend" plugin so that Samba can >> authenticate with our existing custom authentication system.> Can you describe a little more your current custom authentication > system and the capabilities it has?Of course. The data is stored in a MySQL database, but as accessed through a JSON-RPC client/server model. So we would want to create a method (or set of methods) that request authentication or other information from the server. For instance, we use it for OpenVPN connections. OpenVPN has a facility that allows us to reference an arbitrary script that exits with status 0 (success) or 1 (failure) to indicate whether or not the user's authentication attempt was successful. I know that Sambs is more complicated than that, but that's the idea. We would be willing to extend the system however we need. For instance, the password hash that we store is likely incompatible, so we'd need to store a second hash of the user's password. We'd also need to store the user's password expiration date, last login timestamp, etc.> While we have built a pluggable auth and passdb system, creating and > deploying custom backends has turned out to be much harder to execute > in practice than originally expected.> In particular, the auth subsystem only covers NTLM authentication, but > not password chagnes nor machine account authentication (netlogon > ServerAuthenticateX), and passdb has so many arms and lets it is quite > difficult to implement (but more practical).For us, it would be a read-only system. So we wouldn't need to do things like allow users to change their passwords, or provide any domain functionality. This would simply be for authenticating to access shares, and then using the correct user for filesystem permissions.> Both require that you have access to the NT hash of the user's password > (MD4(utf16_le(password)).> If access to that is available, it may be more practical to present > your existing DB in something that looks like our normal LDAP tree.I'm certainly open to this, and this is something that we've put on our list of possible solutions as well. I assume this would be some sort of listener on port 389 (or 686 for LDAP with SSL) that when Samba's LDAP client connects and sends authentication requests (or other requests for information), we'd pull the info from our system and present it in an expected way. Never having built an LDAP server, I'm not exactly sure what this would entail, but probably a lot of reading on the LDAP spec. :-)> Anyway, if you can discuss what you have and need we can see how we can > help solve your problems.I appreciate that.. thank you!