After you download the software, copy it to a test Linux system, then use the tar command to extract the files from the archive. For example, the command
# tar xvfz
pam_smb-1.1.6.tar.gz
extracts pam_smb source code from the pam_smb-1.1.6.tar.gz archive into the current directory. (As with rpm and most UNIX and Linux commands, tar relies on command-line options. In this case, the x, v, f, and z specify that tar perform an extraction, run in verbose mode, extract from a file specified in the command line, and uncompress the file using gunzip before extracting the files.) Next, change to the source directory:
# cd pam_smb
You're now ready to compile and install the software. Like most open-source software, pam_smb relies on Autoconf, a source-code-configuration utility available under the Free Software Foundation's (FSF's) GNU's Not Unix (GNU) General Public License (GPL). Autoconf is almost always installed when you install the Linux OS. However, if Autoconf isn't installed on your system, you can find it on the distribution CD-ROM, usually as an .rpm file (autoconf-version.rpm). Autoconf lets the source code configure itself to your system to ensure maximum compatibility. Start by running the configure script that's included with the pam_smb source code:
# ./configure
At this point, the software is ready to compile, so you can begin the make process:
# make
Finally, you must manually copy the compiled module, pam_smb_auth.so, to /lib/security, the location for PAM modules:
# cp pam_smb_auth.so /lib/security
With the software compiled and installed, you can configure the software.
Configuring the Software
Configuring pam_smb requires that you inform the module of your domain and the names of the domain's PDC and BDC, and that you alert PAM to the new module's presence. Begin by configuring the domain and DC information.
Edit the text file /etc/pam_smb.conf and enter your domain's name and the name of one or two DCs. (You can use any editor that's installed on your system, such as vi, emacs, joe, or pico.) The workgroup name goes first; subsequent lines contain DC names:
EXAMDOM
PDC1
BDC1
Entering multiple DCs allows for redundancy. Unfortunately, pam_smb supports only two DCs, so select two that are physically close to each other and are stable.
Typically, pam_smb (and many Linux services) is dependent on TCP/IP. That dependence isn't a problem, but it can cause confusing errors when you expect a network service to use broadcasting or some other Windows-centric method to resolve computer names. Instead of relying on broadcasting, specify a resolvable host name for your DCs. If you aren't using DNS, add entries to /etc/hosts (/etc/hosts contains static mappings of hostnames to IP addresses) to establish the mappings:
192.168.0.50 pdc1 pdc1.example.com
192.168.0.51 bdc1 bdc1.example.com
Now that pam_smb is configured, you must update PAM to use the new module. You need to know only two core facts about PAM. First, each service that relies on PAM uses a configuration file that in Red Hat Linux is located in the directory /etc/pam.d. For example, Telnet uses the configuration file /etc/pam.d/login and Secure Shell (SSH) uses /etc/pam.d/sshd. Second, each configuration file contains a series of lines that specify which modules the service should use and how to use them. We'll concentrate solely on configuration lines that begin with auth and configure that service's authentication requirements.
Start by configuring Telnet to use logons for Windows accounts. In Red Hat Linux 6.2, when you view /etc/pam.d/login, the configuration file will look like the example that Listing 1 shows.
You can ignore everything except the lines that begin with auth (the first three lines in the sample file). The first line, pam_securetty, determines which terminal a user logs on to; the third line, pam_nologin, checks for /etc/nologin, which disables system logons. (Systems administrators use /etc/nologin as a temporary measure to stop users from entering the system.) We're interested in the second line, which contains pam_pwdb.
)
pkarrel,pkarrel November 06, 2006 (Article Rating: