Jerry Murdock wrote:
>
> ----- Original Message -----
> From: <Pedro.Bacchella@lomanegra.com.ar>
> To: <squid-dev@squid-cache.org>
> Sent: Tuesday, July 30, 2002 10:17 AM
> Subject: Question
>
> > For some reason I can't authenticate the NT users with squid and pamsmb.
> > I've followed step by step the configuration paper but with no success.
> > ( http://linux.lexilog.org.uk/squid.html )
> >
> >
> > I have installed:
> >
> > linux redhat 7.2
> > squid ver.2.4stable6.
> > domain controller windows NT 4.0.
> > pam_auth installed in /usr/lib/squid.
> > pam_smb.conf installed in /etc and it contents :
> > LOMA (domain controller)
> > SRV_CENTRAL (PDC)
> > BKSERVER (BDC)
> >
> > squid proxy cache IPaddress
> >
> > ping PDC and BDC is ok
> >
> > In /etc/pam.d directory ,there is a squid file
> > squid file:
> >
> > #%PAM-1.0
> > auth required /lib/security/pam_smb_auth.so
> > auth required /lib/security/pam_nologin.so
> > account required /lib/security/pam_stack.so service=system-auth
> > password required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_limits.so
> >
>
> This is waayyyy to complicated for a squid pam file. Assuming you don't
> really want to create unix accounts for all your smb users, a simple
> two-liner should work:
>
> auth required /path/to/pam_smb_auth.so nolocal
> account required /path/to/pam_permit.so
>
> If you grab the pam_auth from 2.5 and use -o switch, you should only need
> the first line.
>
> You can add the other stuff back in if needed, but try the shorter config
> first.
Also - just ditch pam_smb_auth. That pam module has 'bad idea' written
all over it, and has serious, known issues. Implmenting an SMB client
in a PAM module just is not a good idea - and becouse it does not use
full RPC Netlogon, it is inherintly vunerable to spoffing.
As far as I know, the 'smb_auth' program and pam_smb are both based off
the same (old) sources, and are both as inseure as each other.
The use of pam_winbind or the winbind basic authenticaion helper is much
more likaly to gain you a functional system, and more particulary a
secure system - as the PDC's credentials are checked.
You could also consider the winbind NTLM authenticaion helper.
Andrew Bartlett
-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.netReceived on Wed Jul 31 2002 - 02:57:29 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:55 MST