PAM_SMBFS_LOGIN(7) Standards, Environments, and Macros PAM_SMBFS_LOGIN(7)
NAME
pam_smbfs_login - PAM user credential authentication module for
SMB/CIFS client login
SYNOPSIS
pam_smb_cred.so.1
DESCRIPTION
The
pam_smbfs_login module implements
pam_sm_setcred(3PAM) to
provide functions that act equivalently to the
smbutil(1) login
command.
This optional functionality is meant to be used only in environments
that do not run Active Directory or Kerberos, but which synchronize
passwords between clients and their CIFS/SMB servers.
This module permits the login password to be stored as if the
smbutil(1) login command was used to store a password for PAM_USER in
the user or system default domain. The choice of default domain is
the first of the following:
-Domain entry specified in the default section of the
$HOME/.nsmbrc file, if readable.
-Domain entry specified in the default section shown by the
sharectl get smbfs command.
-String WORKGROUP.
Because
pam_smbfs_login runs as root during the login process, a
$HOME/.nsmbrc file accessed through NFS may only be readable if the
file permits reads by others. This conflicts with the requirement
that passwords stored in
$HOME/.nsmbrc are ignored when permissions
are open.
To use this functionality, add the following line to the
/etc/pam.conf file:
login auth optional pam_smbfs_login.so.1
Authentication service modules must implement both
pam_sm_authenticate(3PAM) and
pam_sm_setcred(3PAM). In this module,
pam_sm_authenticate(3PAM) always returns
PAM_IGNORE.
The
pam_sm_setcred(3PAM) function accepts the following flags:
PAM_REFRESH_CRED Returns PAM_IGNORE.
PAM_SILENT Suppresses messages.
PAM_ESTABLISH_CRED PAM_REINITIALIZE_CRED Stores the authentication token for PAM_USER in the same manner
as the
smbutil(1) login command.
PAM_DELETE_CRED Deletes the stored password for PAM_USER in the same manner as
the
smbutil(1) logout command.
The following options can be passed to the
pam_smbfs_login module:
debug Produces
syslog(3C) debugging information at the LOG_AUTH or
LOG_DEBUG level.
nowarn Suppresses warning messages.
FILES
$HOME/.nsmbrc Find default domain, if present.
ERRORS
Upon successful completion of
pam_sm_setcred(3PAM),
PAM_SUCCESS is
returned. The following error codes are returned upon error:
PAM_USER_UNKNOWN User is unknown.
PAM_AUTHTOK_ERR Password is bad.
PAM_AUTH_ERR Domain is bad.
PAM_SYSTEM_ERR System error.
ATTRIBUTES
See
attributes(7) for descriptions of the following attribute:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Committed |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
smbutil(1),
syslog(3C),
libpam(3LIB),
pam(3PAM),
pam_setcred(3PAM),
pam_sm(3PAM),
pam_sm_authenticate(3PAM),
pam_sm_setcred(3PAM),
smbfs(4FS),
pam.conf(5),
attributes(7)NOTES
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
August 19, 2023 PAM_SMBFS_LOGIN(7)
