Samba authentication through PAM with MySQL
Ed. note: Randall actually wrote this article back in November, but I’ve only just put
it on the site today.
Note: this assumes you have Samba, mySQL and pam_mysql
already installed and running on FreeBSD 4.0 or
greater The following describes how to setup Samba, PAM, and mySQL such that Samba users
are authenticated through MySQL using PAM.
You can obtain pam_mysql from the link above, or you can install it from the ports: /usr/ports/security/pam-mysql.
by: randall s. ehren
Step 1: Configure MySQL
The following inserts the root user and a sample user both with a password of
"secretpw". The password encryption is done via MySQL’s ENCRYPT function. insert
the following SQL:
CREATE DATABASE samba_auth;CREATE TABLE users (
uid int(6) NOT NULL auto_increment,
gid int(6) DEFAULT '0' NOT NULL,
last_name varchar(80) NOT NULL,
first_name varchar(80) NOT NULL,
login varchar(16) NOT NULL,
date datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
password varchar(16) NOT NULL,
PRIMARY KEY (uid),
KEY uid (uid),
UNIQUE uid_2 (uid)
);INSERT INTO users VALUES (
'0', '0', 'account', 'root', 'root',
'NOW()', ENCRYPT('secretpw')
);INSERT INTO users VALUES (
'1', '1', 'account', 'sample', 'sample',
'NOW()', ENCRYPT('secretpw')
);
Step 2: Configure PAM
pam_mysql has the following configuration options available:(options in parentheses
are defaults)
- user(nobody) — The user with access to the open the connection to mysql and has
permission to read the table with the passwords. - passwd("") — Password for the same.
- host(localhost) — Machine that is running the sql server
- db(mysql) — database that contents the table with the user/password combos
- table(user) — table that you want to use for the user/password checking
- usercolumn(User) — column that has the username field
- passwdcolumn(password) — column that has the password field
- crypt(0) — Used to decide to use MySQL’s PASSWORD() function or crypt()
0 = No encryption. Passwords in database in plaintext. NOT recommended!
1 = Use crypt
2 = Use MySQL PASSWORD() function
Append the following to your /etc/pam.conf file
samba auth required pam_mysql.so user=root passwd=secretpw -> db=samba_auth table=users usercolumn=login crypt=1 samba account required pam_mysql.so user=root passwd=secretpw -> db=samba_auth table=users usercolumn=login crypt=1 samba password required pam_mysql.so user=root passwd=secretpw -> db=samba_auth table=users usercolumn=login crypt=1 samba session required pam_mysql.so user=root passwd=secretpw -> db=samba_auth table=users usercolumn=login crypt=1
Step 3: Configure Samba
the following is a sample smb.conf file
# Samba config file
# Date: 2000/11/13 12:31:50
# Global parameters
[global]
workgroup = WORKGROUP-NAME
server string = samba file services at WORKGROUP-NAME
security = USER
#must be set to 'no' to use PAM
encrypt passwords = No
update encrypted = No
allow trusted domains = Yes
min password length = 6
null passwords = No
revalidate = No
[homes]
valid users = sample
writeable = Yes
[www]
path = /www
valid users = sample
force group = http
writeable = Yes
[public]
path = /samba/public
valid users = sample
writeable = Yes
guest ok = No
Step 4: Test
Make sure MySQL and Samba are running. If Samba was running before restart it. Create
a unix user called "sample" and login to that account. Use smbclient to test by
doing the following:
% smbclient \\\\localhost\\sample
smbclient will then ask for a password, use ‘secretpw’, or whatever you made the
password, then see if it works. You should be able to do an ‘ls’, ‘mkdir’, or ‘cd’ when
you are in smbclient. You should also test this out on a Windows machine to make sure it
works. If you aren’t using Windows NT or 2000 make sure you ‘log-in’ to the machine as
‘sample’.
why I can not do it using this artical?
who can help me?
thanks a lot!
Jane:
You should be seeking help in the FreeBSD Support forum (click on FORUMS, top right corner).
And we can’t diagnose the problem with the information you have supplied.
There are a few things to note:
INSERT INTO users VALUES (
‘0’, ‘0’, ‘account’, ‘root’, ‘root’,
‘NOW()’, ENCRYPT(‘secretpw’),
”, ”, ”, ‘n’, ”, ‘n’, ”, ‘0’, ”
);
Has too many parameters.
INSERT INTO users VALUES (
‘0’, ‘0’, ‘account’, ‘root’, ‘root’,
‘NOW()’, ENCRYPT(‘secretpw’)
);
is a little more like it based on the CREATE TABLE statement.
Also, PAM was not an option for samba prior to 2.0.5, so make sure you’re using a newer version by looking at
#pkg_info | grep samba
(assuming you used the port to install it). I was actually using 2.0.6, but I don’t believe the port had the –with-pam configure option set until after that point. A reinstallation of a newer version of the port (2.2.3a) fixed up my problems.
It’s also not available for FreeBSD prior to 3.something so make sure you’re using a late-model 3.X or better.
When editing the pam.conf file, I believe you need to make sure that the spaces between attributes are in fact spaces and not tabs. I seem to remember reading that tabs aren’t appreciated in there.
Finally, I personally would set up the user account "samba" with a blank password. The reason: it’s in clear text in the /etc/pam.conf file. If you leave it out, someone not familiar with pam_mysql.so might not deduce that the mysql password is empty.
Hope this helps!
Just say the article and loved it , ldap is just to crazy to deal with.