3

I have set up a Linux system with its own user account administration. It is not part of any domain (other than DNS). Now I want to allow its users to mount their home directories on a Windows system.

One way of doing this is by keeping two user account administrations: one maintained with passwd, the other with smbpasswd. This seems needlessly complicated. I want to maintain just one.

How can I best arrange this? The system is running Ubuntu 12.04 (Desktop).

reinierpost
  • 2,220
  • 1
  • 18
  • 23

1 Answers1

2

Use PAM's support module for /etc/passwd.

Update:

There is a fundamental reason why you cannot unify these authentication mechanisms in any simple way.

  • Unix and Linux /etc/passwd authentication requires that the user's password be presented to the server. This can be within an encrypted channel (as in SSH password authentication when not using private-key authentication).
  • NTLM and MS-Kerberos authentication don't transmit passwords they transmit a hash of a password and the authenticating server takes it's copy of the user's password, constructs a hash using the same algorithm and compares the hash result with the hash presented by the client. Since /etc/passwd doesn't store passwords and uses a different hashing algorithm, /etc/passwd has insufficient information for authenticating NTLM/Kerberos clients.
  • Really old SMB authentication protocols pass the password (in plaintext, i.e. unprotected) and a SMB server can therefore compute a /etc/passwd type hash of this and compare it to the hash stored in /etc/passwd.

From the above it follows that you need a separate file to store passwords (smbpasswd) or a domain controller if you want to avoid plain text passwords transiting your LAN.

RedGrittyBrick
  • 81,981
  • 20
  • 135
  • 205
  • To do what? To replace all use of /etc/passwd with the use of the password file managed by smbpasswd? – reinierpost Oct 01 '12 at 12:47
  • @reinerpost, I had in mind the opposite. Tell Samba to use /etc/passwd (via PAM). This seems a simpler proposition to me :-) The link in my answer points to Samba documentation, not to general Linux documentation. – RedGrittyBrick Oct 01 '12 at 13:35
  • I have tried to do that, but it seems to require the Windows client sending the password in cleartext (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667015) or a password synchronization mechanism that appears to work only in one direction (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199), both rather suboptimal workarounds in my view. – reinierpost Oct 01 '12 at 13:41
  • @reinierpost: So far as I know, the most common solution for that set of requirements (encrypted credentials on wire, single point of user admin) is to authenticate through a Windows Domain Controller (or Samba acting as such). – RedGrittyBrick Oct 01 '12 at 13:50
  • That is also my impression, but it would be helpful to know for sure. Hence my question. – reinierpost Oct 01 '12 at 13:53
  • @reinierpost: There is little reason for sync to work in the other direction, since Windows does not support changing passwords over SMB if you're not in a domain (so a desync is next to impossible). – u1686_grawity Oct 01 '12 at 15:50
  • Hm ... can I set up the box to be its own one-machine Windows domain without interfering with my organizations domain (on which this box, being a Linxu machine, is not allowed)? And to what extent can I get rid of /etc/passwd and /etc/shadow altogether? If I can use Samba passwords for everything (i.e. if all Ubuntu applications I use support PAM), that solution will be fine with me. – reinierpost Nov 09 '12 at 14:16
  • Would [Winscp](http://winscp.net/eng/docs/interfaces#explorer_interface) + public-key authentication be acceptable? – RedGrittyBrick Nov 09 '12 at 15:10
  • @RedGrittyBrick; Not really. I'm looking for a way to avoid having to ask my colleagues to use some special software on the Windows side. They know how to do scp, that's not the issue. – reinierpost Nov 18 '12 at 16:21