1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
|
'\" te
.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH PAM_SMBFS_LOGIN 5 "Sep 25, 2008"
.SH NAME
pam_smbfs_login \- PAM user credential authentication module for SMB/CIFS
client login
.SH SYNOPSIS
.LP
.nf
pam_smb_cred.so.1
.fi
.SH DESCRIPTION
.sp
.LP
The \fBpam_smbfs_login\fR module implements \fBpam_sm_setcred\fR(3PAM) to
provide functions that act equivalently to the \fBsmbutil\fR(1) login command.
.sp
.LP
This optional functionality is meant to be used only in environments that do
not run Active Directory or Kerberos, but which synchronize passwords between
Solaris clients and their CIFS/SMB servers.
.sp
.LP
This module permits the login password to be stored as if the \fBsmbutil\fR(1)
login command was used to store a password for PAM_USER in the user or system
default domain. The choice of default domain is the first of the following:
.br
.in +2
-Domain entry specified in the default section of the \fB$HOME/.nsmbrc\fR
file, if readable.
.in -2
.br
.in +2
-Domain entry specified in the default section shown by the sharectl get smbfs
command.
.in -2
.br
.in +2
-String WORKGROUP.
.in -2
.sp
.LP
Because \fBpam_smbfs_login\fR runs as root during the login process, a
\fB$HOME/.nsmbrc\fR file accessed through NFS may only be readable if the file
permits reads by others. This conflicts with the requirement that passwords
stored in \fB$HOME/.nsmbrc\fR are ignored when permissions are open.
.sp
.LP
To use this functionality, add the following line to the \fB/etc/pam.conf\fR
file:
.sp
.in +2
.nf
login auth optional pam_smbfs_login.so.1
.fi
.in -2
.sp
.LP
Authentication service modules must implement both
\fBpam_sm_authenticate\fR(3PAM) and \fBpam_sm_setcred\fR(3PAM). In this module,
\fBpam_sm_authenticate\fR(3PAM) always returns \fBPAM_IGNORE\fR.
.sp
.LP
The \fBpam_sm_setcred\fR(3PAM) function accepts the following flags:
.sp
.ne 2
.na
\fB\fBPAM_REFRESH_CRED\fR\fR
.ad
.sp .6
.RS 4n
Returns PAM_IGNORE.
.RE
.sp
.ne 2
.na
\fB\fBPAM_SILENT\fR\fR
.ad
.sp .6
.RS 4n
Suppresses messages.
.RE
.sp
.ne 2
.na
\fB\fBPAM_ESTABLISH_CRED\fR\fR
.ad
.br
.na
\fB\fBPAM_REINITIALIZE_CRED\fR\fR
.ad
.sp .6
.RS 4n
Stores the authentication token for PAM_USER in the same manner as the
\fBsmbutil\fR(1) login command.
.RE
.sp
.ne 2
.na
\fB\fBPAM_DELETE_CRED\fR\fR
.ad
.sp .6
.RS 4n
Deletes the stored password for PAM_USER in the same manner as the
\fBsmbutil\fR(1) logout command.
.RE
.sp
.LP
The following options can be passed to the \fBpam_smbfs_login\fR module:
.sp
.ne 2
.na
\fB\fBdebug\fR\fR
.ad
.sp .6
.RS 4n
Produces \fBsyslog\fR(3C) debugging information at the LOG_AUTH or LOG_DEBUG
level.
.RE
.sp
.ne 2
.na
\fB\fBnowarn\fR\fR
.ad
.sp .6
.RS 4n
Suppresses warning messages.
.RE
.SH FILES
.sp
.ne 2
.na
\fB\fB$HOME/.nsmbrc\fR\fR
.ad
.RS 28n
Find default domain, if present.
.RE
.SH ERRORS
.sp
.LP
Upon successful completion of \fBpam_sm_setcred\fR(3PAM), \fBPAM_SUCCESS\fR is
returned. The following error codes are returned upon error:
.sp
.ne 2
.na
\fB\fBPAM_USER_UNKNOWN\fR\fR
.ad
.sp .6
.RS 4n
User is unknown.
.RE
.sp
.ne 2
.na
\fB\fBPAM_AUTHTOK_ERR\fR\fR
.ad
.sp .6
.RS 4n
Password is bad.
.RE
.sp
.ne 2
.na
\fB\fBPAM_AUTH_ERR\fR\fR
.ad
.sp .6
.RS 4n
Domain is bad.
.RE
.sp
.ne 2
.na
\fB\fBPAM_SYSTEM_ERR\fR\fR
.ad
.sp .6
.RS 4n
System error.
.RE
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attribute:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Interface Stability Committed
_
MT Level MT-Safe with exceptions
.TE
.SH SEE ALSO
.sp
.LP
\fBsmbutil\fR(1), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBpam\fR(3PAM),
\fBpam_setcred\fR(3PAM), \fBpam_sm\fR(3PAM), \fBpam_sm_authenticate\fR(3PAM),
\fBpam_sm_chauthtok\fR(3PAM), \fBpam_sm_setcred\fR(3PAM), \fBpam.conf\fR(4),
\fBattributes\fR(5), \fBsmbfs\fR(7FS)
.SH NOTES
.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
|
