OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: PAM_SMB through Apache
From: Mathew A Johnston (johnstonmegaepic.com)
Date: Wed Dec 06 2000 - 21:50:09 CST

Well, I think that the idea is, is that the user who is logging in needs
to have a user account locally, so that a default shell, group
memberships, etc, and thus permissions can be used.

So, no matter what you do, you're either going to need to have daemons run
as some effective UID - whether it's always the same (as in a web server
[usually]) or the uid of the user logging in. If you only want to
authenticate for a daemon that will always run as the same user, edit the
pam module to allow an option to not require a local user for
success... otherwise, you're going to need to add users to your nix
box, and the module which adds users is something that'll do it for you.

Good luck :)

Mathew Johnston

On Wed, 6 Dec 2000, marin wrote:

> I wouldn't do this.
>
> /marin
>
> I recall a module which adds usernames when they log in, and can create home
> directories (I THINK, but I'm not sure). Check out the pam docs to see a
> list
> of modules.
>
> Thus, autheticate against the domain, and if that succeeds, add a user
> locally
> automatically (you could even make a script that would do this) and thus
> lets
> them log in.
>
> Mathew Johnston
>
> PS. I've never done this, so I may not know what I'm talking about :)
>
> Erica Douglass wrote:
>
> > At 04:28 PM 12/1/2000 +1000, you wrote:
> > >At 06:45 PM 11/30/00 -0800, you wrote:
> > > >I cannot get PAM authentication through an NT server working with
> Apache.
> > > >
> > > >My configuration: Cobalt RaQ4 (Redhat; Intel processor)
> > > >
> > > >Installed: Apache PAM module
> > > >PAM_SMB
> > > >
> > > >The PAM module for Apache works fine. I have tested with the default
> > > >configurations and it runs smoothly. However, PAM_SMB does not work.
> The
> > > >reason it gives is: "User account has expired"
> > >
> > >Is it possible that the user's account has expired under NT?
> >
> > > Ummm, you only need pamsmbd if you are doing username mapping. Are you?
> >
> > It turns out that the underlying problem is that PAM_SMB has to map the NT
> > username to a local username. It seems that the module has no support for
> > wildcards, and I don't want to create an unmanageable list of all the
> > domain users. (The list would have to be updated every time someone was
> > added or deleted from the domain.)
> >
> > As far as I can tell, there are two choices:
> >
> > -- Hack the module to support wildcards (e.g. ALL NT users -> "default" or
> > "anonymous" locally)
> > -- Create ~400 local users, or create the aforementioned list.
> >
> > Neither choice sounds like a clean solution. Any suggestions?
> >
> > Erica
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-listredhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list