junovitch@
Developer
Summary:
Samba is a nifty tool and pretty much required if you want to share files with Windows. I had never really cared for the extra efforts needed to setup usernames for Samba so when I've read about the PAM_SMBPASS option, I found that was exactly what I was looking for. If you are already using NFS and normal system accounts on your machine and want to pull Samba into the fold with minimal effort, than using PAM_SMBPASS will let you do that and maintain it fairly seamlessly. Hopefully, things will just work and you'll never have to touch
Pros:
Set things up the way you like and you'll never have to touch the
Cons:
The PAM configuration is a potential point of failure. If you remove Samba or accidentally install the public version of Samba now without PAM_SMBPASS, PAM will have issues logging in when it can't find the module it's configured to use.
HOWTO:
My goal here is to primarily cover Samba with the PAM portion, however I'll describe my whole configuration from top to bottom. I'm not a Samba expert so please mention if there are any recommendations that should be better. What is below works for me and there are far more detailed guides out there for how to configure Samba but seemingly minimal information regarding configuring PAM_SMBPASS.
Samba Installation:
Install Samba 4.1 with PAM_SMBPASS checked:
Alternately, you can also do the following to save yourself compiling time.
If you are using Poudriere, which is what I use to maintain my local packages you can add net/samba41 to your package list along with the following make.conf option and install through your local repository afterwards.
Samba Configuration:
Samba is compiled with AIO support, so let's enable loading the AIO module at boot and load it now.
Now for a Samba configuration file. There's nothing too fancy here. This configuration is jail friendly since it only binds on the host. There are also a few ACL options, such as a the zfsacl and nfs:* option that I've found required to get around Samba filling the logs with messages about "unknown tag type 64" when sharing off of ZFS.
PAM Configuration:
Now for the PAM configuration. Once you start, do not exit your shell. Validate you can log in from a second one before you exit your shell as if your PAM configuration gets messed up you can have problems.
If you would like users to log in with SSH to automatically get their account and password migrated over to Samba, add the following. Unfortunately this doesn't work with SSH key logins so you'll have to resort to using the other configurations below.
If you would like local system logins to create and update Samba, you can add this same line to your /etc/pam.d/system. However, this adds minimal value if you normally log in remotely. Having a local system login if the PAM configuration is wrong is a good fallback to keep.
If you would like users that change their password locally to automatically get their account and new password migrated over to Samba, add the following.
I've configured both options above however you are welcome select only what you need or attempt to configure additional PAM services inside the /etc/pam.d directory.
Enable and start up Samba. Don't exit your shell just yet!
Testing:
1. If you've never used Samba and have no users, the following won't show anything:
2. Now log in from another terminal using SSH with a password and run pdbedit again. You should see your username. Make note of what time the password was changed.
3. Set a new password using
4. If all is well and you can login and change password just fine, your PAM configuration is good and you can finally exit your original shell. If you have issues at any point, go back and review your PAM configuration changes.
Samba is a nifty tool and pretty much required if you want to share files with Windows. I had never really cared for the extra efforts needed to setup usernames for Samba so when I've read about the PAM_SMBPASS option, I found that was exactly what I was looking for. If you are already using NFS and normal system accounts on your machine and want to pull Samba into the fold with minimal effort, than using PAM_SMBPASS will let you do that and maintain it fairly seamlessly. Hopefully, things will just work and you'll never have to touch
smbpasswd
to separately change passwords for Samba again.Pros:
Set things up the way you like and you'll never have to touch the
smbpasswd
command.Cons:
The PAM configuration is a potential point of failure. If you remove Samba or accidentally install the public version of Samba now without PAM_SMBPASS, PAM will have issues logging in when it can't find the module it's configured to use.
HOWTO:
My goal here is to primarily cover Samba with the PAM portion, however I'll describe my whole configuration from top to bottom. I'm not a Samba expert so please mention if there are any recommendations that should be better. What is below works for me and there are far more detailed guides out there for how to configure Samba but seemingly minimal information regarding configuring PAM_SMBPASS.
Samba Installation:
Install Samba 4.1 with PAM_SMBPASS checked:
cd /usr/ports/net/samba41
make WITH="PAM_SMBPASS" install
Alternately, you can also do the following to save yourself compiling time.
pkg install samba41
to install all the dependencies. cd /usr/ports/net/samba41
make deinstall
make WITH="PAM_SMBPASS" install
If you are using Poudriere, which is what I use to maintain my local packages you can add net/samba41 to your package list along with the following make.conf option and install through your local repository afterwards.
Code:
net_samba41_SET+=PAM_SMBPASS
Samba Configuration:
Samba is compiled with AIO support, so let's enable loading the AIO module at boot and load it now.
echo 'aio_load="YES"' >> /boot/loader.conf
kldload aio
Now for a Samba configuration file. There's nothing too fancy here. This configuration is jail friendly since it only binds on the host. There are also a few ACL options, such as a the zfsacl and nfs:* option that I've found required to get around Samba filling the logs with messages about "unknown tag type 64" when sharing off of ZFS.
Code:
cat > /usr/local/etc/smb4.conf << 'EOF'
[global]
interfaces = 10.100.102.2/32 127.0.0.1/32
hosts allow = 10.100.
bind interfaces only = yes
case sensitive = yes
security = user
unix extensions = no
nt acl support = yes
inherit acls = no
map acl inherit = yes
[homedirs]
path = /zfs/homedirs
comment = Home Directories
vfs objects = zfsacl
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
available = yes
browseable = yes
read only = no
public = no
guest ok = no
writable = yes
'EOF'
PAM Configuration:
Now for the PAM configuration. Once you start, do not exit your shell. Validate you can log in from a second one before you exit your shell as if your PAM configuration gets messed up you can have problems.
If you would like users to log in with SSH to automatically get their account and password migrated over to Samba, add the following. Unfortunately this doesn't work with SSH key logins so you'll have to resort to using the other configurations below.
Code:
patch /etc/pam.d/sshd << 'EOF'
--- /etc/pam.d/sshd 2014-11-30 19:14:17.000000000 +0000
+++ /etc/pam.d/sshd 2014-11-30 19:24:09.000000000 +0000
@@ -10,6 +10,7 @@
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
+auth optional /usr/local/lib/pam_smbpass.so try_first_pass migrate
# account
account required pam_nologin.so
'EOF'
If you would like users that change their password locally to automatically get their account and new password migrated over to Samba, add the following.
Code:
patch /etc/pam.d/passwd << 'EOF'
--- /etc/pam.d/passwd 2014-11-30 18:47:55.000000000 +0000
+++ /etc/pam.d/passwd 2014-11-30 19:33:31.000000000 +0000
@@ -9,3 +9,4 @@
# password
#password requisite pam_passwdqc.so enforce=users
password required pam_unix.so no_warn try_first_pass nullok
+password optional /usr/local/lib/pam_smbpass.so try_first_pass migrate
'EOF'
I've configured both options above however you are welcome select only what you need or attempt to configure additional PAM services inside the /etc/pam.d directory.
Enable and start up Samba. Don't exit your shell just yet!
sysrc samba_server_enable=YES
service samba_server start
Testing:
1. If you've never used Samba and have no users, the following won't show anything:
pdbedit -vL
2. Now log in from another terminal using SSH with a password and run pdbedit again. You should see your username. Make note of what time the password was changed.
3. Set a new password using
passwd
and check again using pdbedit. Verify the password change time has changed from what step two showed. If desired you can set your password a second time to set it back to the original password.4. If all is well and you can login and change password just fine, your PAM configuration is good and you can finally exit your original shell. If you have issues at any point, go back and review your PAM configuration changes.
Last edited: