Re: Question from Andrew Bartlett on 2002-07-31 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Wed, 31 Jul 2002 18:56:28 +1000

Jerry Murdock wrote:
>
> ----- Original Message -----
> From: <Pedro.Bacchella@lomanegra.com.ar>
> To: <squid-dev@squid-cache.org>
> Sent: Tuesday, July 30, 2002 10:17 AM
> Subject: Question
>
> > For some reason I can't authenticate the NT users with squid and pamsmb.
> > I've followed step by step the configuration paper but with no success.
> > ( http://linux.lexilog.org.uk/squid.html )
> >
> >
> > I have installed:
> >
> > linux redhat 7.2
> > squid ver.2.4stable6.
> > domain controller windows NT 4.0.
> > pam_auth installed in /usr/lib/squid.
> > pam_smb.conf installed in /etc and it contents :
> > LOMA (domain controller)
> > SRV_CENTRAL (PDC)
> > BKSERVER (BDC)
> >
> > squid proxy cache IPaddress
> >
> > ping PDC and BDC is ok
> >
> > In /etc/pam.d directory ,there is a squid file
> > squid file:
> >
> > #%PAM-1.0
> > auth required /lib/security/pam_smb_auth.so
> > auth required /lib/security/pam_nologin.so
> > account required /lib/security/pam_stack.so service=system-auth
> > password required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_limits.so
> >
>
> This is waayyyy to complicated for a squid pam file. Assuming you don't
> really want to create unix accounts for all your smb users, a simple
> two-liner should work:
>
> auth required /path/to/pam_smb_auth.so nolocal
> account required /path/to/pam_permit.so
>
> If you grab the pam_auth from 2.5 and use -o switch, you should only need
> the first line.
>
> You can add the other stuff back in if needed, but try the shorter config
> first.

Also - just ditch pam_smb_auth. That pam module has 'bad idea' written
all over it, and has serious, known issues. Implmenting an SMB client
in a PAM module just is not a good idea - and becouse it does not use
full RPC Netlogon, it is inherintly vunerable to spoffing.

As far as I know, the 'smb_auth' program and pam_smb are both based off
the same (old) sources, and are both as inseure as each other.

The use of pam_winbind or the winbind basic authenticaion helper is much
more likaly to gain you a functional system, and more particulary a
secure system - as the PDC's credentials are checked.

You could also consider the winbind NTLM authenticaion helper.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Received on Wed Jul 31 2002 - 02:57:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:55 MST