PAM_SMBFS_LOGIN(5)PAM_SMBFS_LOGIN(5)NAMEpam_smbfs_login - PAM user credential authentication module for
SMB/CIFS client login
SYNOPSIS
pam_smb_cred.so.1
DESCRIPTION
The pam_smbfs_login module implements pam_sm_setcred(3PAM) to provide
functions that act equivalently to the smbutil(1) login command.
This optional functionality is meant to be used only in environments
that do not run Active Directory or Kerberos, but which synchronize
passwords between Solaris clients and their CIFS/SMB servers.
This module permits the login password to be stored as if the smbu‐
til(1) login command was used to store a password for PAM_USER in the
user or system default domain. The choice of default domain is the
first of the following:
-Domain entry specified in the default section of the $HOME/.nsmbrc
file, if readable.
-Domain entry specified in the default section shown by the sharectl
get smbfs command.
-String WORKGROUP.
Because pam_smbfs_login runs as root during the login process, a
$HOME/.nsmbrc file accessed through NFS may only be readable if the
file permits reads by others. This conflicts with the requirement that
passwords stored in $HOME/.nsmbrc are ignored when permissions are
open.
To use this functionality, add the following line to the /etc/pam.conf
file:
login auth optional pam_smbfs_login.so.1
Authentication service modules must implement both pam_sm_authenti‐
cate(3PAM) and pam_sm_setcred(3PAM). In this module, pam_sm_authenti‐
cate(3PAM) always returns PAM_IGNORE.
The pam_sm_setcred(3PAM) function accepts the following flags:
PAM_REFRESH_CRED
Returns PAM_IGNORE.
PAM_SILENT
Suppresses messages.
PAM_ESTABLISH_CRED
PAM_REINITIALIZE_CRED
Stores the authentication token for PAM_USER in the same manner as
the smbutil(1) login command.
PAM_DELETE_CRED
Deletes the stored password for PAM_USER in the same manner as the
smbutil(1) logout command.
The following options can be passed to the pam_smbfs_login module:
debug
Produces syslog(3C) debugging information at the LOG_AUTH or
LOG_DEBUG level.
nowarn
Suppresses warning messages.
FILES
$HOME/.nsmbrc
Find default domain, if present.
ERRORS
Upon successful completion of pam_sm_setcred(3PAM), PAM_SUCCESS is
returned. The following error codes are returned upon error:
PAM_USER_UNKNOWN
User is unknown.
PAM_AUTHTOK_ERR
Password is bad.
PAM_AUTH_ERR
Domain is bad.
PAM_SYSTEM_ERR
System error.
ATTRIBUTES
See attributes(5) for descriptions of the following attribute:
┌────────────────────┬─────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────────────┤
│Interface Stability │ Committed │
├────────────────────┼─────────────────────────┤
│MT Level │ MT-Safe with exceptions │
└────────────────────┴─────────────────────────┘
SEE ALSOsmbutil(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_setcred(3PAM),
pam_sm(3PAM), pam_sm_authenticate(3PAM), pam_sm_chauthtok(3PAM),
pam_sm_setcred(3PAM), pam.conf(4), attributes(5), smbfs(7FS)NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
Sep 25, 2008 PAM_SMBFS_LOGIN(5)