20.5 NTLM: Using a Windows Server to Perform Authentication and Pluggable Authentication Modules (PAM)

     

First things first. If you get this configuration wrong, you might be left in a position where no one is able to log in to your HP-UX server. This is serious! Let me make it even clearer. We are still going to use the libpam_unix.1 module to authenticate "normal" UNIX users, e.g., root , bin , sys , and any other valid UNIX-only users. What this configuration will do is allow users to log in to our HP-UX servers with the passwords being authenticated on a Windows server. Remember, in order to log in to a UNIX machine, you will need to have an entry in /etc/passwd . All the entries in our password file will provide a username/UID; this is essential on UNIX so you can be identified with processes, files, and so on. The difference here is that password management is being taken care of by a Windows server, e.g., NT, 2000, and XP. Here's an example /etc/passwd file on our HP-UX CIFS client:

 

 root@hpeos004[]  cat /etc/passwd  root:HRl3bvbgAJAzY:0:3::/:/sbin/sh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh oracle::102:102:Oracle:/home/oracle:/usr/bin/sh nobody:*:-2:-2::/: www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false bonzo:w/gZ2rWgdzMuc:101:20::/home/bonzo:/sbin/sh mikey:3VYPC9Fw4Mr/.:103:20::/home/mikey:/sbin/sh stevo:kXWYDiSgtDims:104:20::/home/stevo:/sbin/sh fred:*:105:20::/home/fred:/sbin/sh barney:*:106:20::/home/barney:/sbin/sh wilma:*:107:20::/home/wilma:/sbin/sh betty:*:108:20::/home/betty:/sbin/sh root@hpeos004[] 

As you can see, we still have real UNIX users such as root , bonzo , mikey , and stevo ; they have real UNIX passwords. We also have users with invalid passwords: fred , barney , wilma , and betty . These users need to log in to our HP-UX server, but their passwords are maintained on an NT/2000/XP server (in this case, a NT 4.0 SP6 server known as NTPDC1 ). Figure 20-2 shows the User Manager for Domains screen from NTPDC1 :

Figure 20-2. User manager for domains.
graphics/20fig02.jpg

NOTE : I have included a bogus root user on NTPDC1 to help demonstrate the necessity of being careful with the configuration files we will work with, i.e., /etc/pam.conf .

The file we are initially configuring is a file that configures the modules used to authenticate users logging in to this server: /etc/pam.conf . Normally, the login process (including passwd , su , dtlogin , ftp , and so on) will use the shared library /usr/lib/security/libpam_unix.1 to authenticate users; the pam.conf file identifies a pluggable authentication module , hence, the name . We are going to change this configuration. The change means we will authenticate users via the Windows server. This is essentially a CIFS client configuration change; we are specifying where to utilize the NTLM authentication credentials stored on the Windows server. This means that should these users wish to use a CIFS share advertised somewhere within the Windows domain, they will not have to cifslogin to that CIFS server because our HP-UX server has cached the users' security credentials obtained during the NTLM authentication with the Windows server.

In my mind, I would probably want to always authenticate real UNIX users, e.g., root , bonzo , mikey , and stevo locally on my HP-UX server; I wouldn't want to miss authenticating these important users via our Windows server. This can be the scary bit; if you don't ensure that real UNIX users are authenticated locally, you may be in a situation where root can't log in, and that's not a good thing. My configuration examples below will take this into account. Here are the steps involved:

  1. Configure /etc/pam.conf to utilize NTLM as an authentication protocol in addition to using standard UNIX login semantics.

  2. Configure smb.conf to reference the NTLM server.

  3. Configure a user map to specifically reference individual UNIX users to a different username on the NTLM server (optional).

  4. Restart CIFS client daemon to pick up changes in smb.conf (only necessary if you are changing the NTLM server specifications).

  5. Test the functionality of NTLM authentication.

20.5.1 Configure /etc/pam.conf to utilize NTLM as an authentication protocol

Here, we are ensuring that we configure NTLM as an additional authentication protocol not only when a user logs in but also when he changes his password (either of his own choice or because the password expired ). This requires you to configure the Authentication , Account , and Password sections of /etc/pam.conf ; you will see them clearly commented in the /etc/pam.conf file. Here is the /etc/pam.conf file I used on my CIFS client hpeos004 :

 

 root@hpeos004[]  vi /etc/pam.conf  # # PAM configuration # # Authentication management # login    auth sufficient /usr/lib/security/libpam_ntlm.1 debug login    auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass su       auth sufficient /usr/lib/security/libpam_ntlm.1 debug su       auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass dtlogin  auth sufficient /usr/lib/security/libpam_ntlm.1 debug dtlogin  auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass dtaction auth sufficient /usr/lib/security/libpam_ntlm.1 debug dtaction auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass ftp      auth sufficient /usr/lib/security/libpam_ntlm.1 debug ftp      auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass OTHER    auth required   /usr/lib/security/libpam_unix.1 debug # # Account management # login    account sufficient /usr/lib/security/libpam_ntlm.1 debug login    account required   /usr/lib/security/libpam_unix.1 debug su       account sufficient /usr/lib/security/libpam_ntlm.1 debug su       account required   /usr/lib/security/libpam_unix.1 debug dtlogin  account sufficient /usr/lib/security/libpam_ntlm.1 debug dtlogin  account required   /usr/lib/security/libpam_unix.1 debug dtaction account sufficient /usr/lib/security/libpam_ntlm.1 debug dtaction account required   /usr/lib/security/libpam_unix.1 debug ftp      account sufficient /usr/lib/security/libpam_ntlm.1 debug ftp      account required   /usr/lib/security/libpam_unix.1 debug OTHER    account required   /usr/lib/security/libpam_unix.1 debug # # Session management # login    session required       /usr/lib/security/libpam_unix.1 debug dtlogin  session required       /usr/lib/security/libpam_unix.1 debug dtaction session required       /usr/lib/security/libpam_unix.1 debug OTHER    session required       /usr/lib/security/libpam_unix.1 debug # # Password management # login    password required   /usr/lib/security/libpam_ntlm.1 debug login    password required   /usr/lib/security/libpam_unix.1 debug passwd   password required   /usr/lib/security/libpam_ntlm.1 debug passwd   password required   /usr/lib/security/libpam_unix.1 debug dtlogin  password required   /usr/lib/security/libpam_ntlm.1 debug dtlogin  password required   /usr/lib/security/libpam_unix.1 debug dtaction password required   /usr/lib/security/libpam_ntlm.1 debug dtaction password required   /usr/lib/security/libpam_unix.1 debug OTHER    password required   /usr/lib/security/libpam_unix.1 debug root@hpeos004[cifsclient] 

I explain some of the changes I made and take the service name of login in the Authentication module as an example:

 

 login    auth sufficient /usr/lib/security/libpam_ntlm.1 debug login    auth required   /usr/lib/security/libpam_unix.1 debug try_first_pass 

The PAM framework allows us to stack service names in order to implement multiple authentication services. PAM will process each of the service modules in the stack as listed in the configuration file. The controlling influence over success and failure is the control flag, e.g., sufficient or required in this case. A sufficient flag means that if the module is successful, then a success is returned to the login process, assuming that any previous required modules have been successful as well. The debug option will send a message to syslog at the debug level (we will configure syslog to capture this). The try_first_pass option will use the password entered when the first module in the stack authenticated the user. Here are a few examples:

  • In our example, if mikey tries to log in, we attempt to authenticate him via the Windows server using the password he enters. This will fail, and we attempt to authenticate him using the same password but against /etc/passwd . If this succeeds, he will be allowed to log in.

  • If fred tries to log in, he will be authenticated by the NT server and that will be sufficient to allow him to log in. If fred then tries to su to mikey , he will need to supply the correct password for mikey . This password will be authenticated first by the Windows server and will fail. Because we have used the try_first_pass option, the password fred supplied will be passed to libpam_unix.1 . If he supplied the correct password, he will be allowed to su with no further prompts. If fred supplied the wrong password (or we didn't use the try_first_pass option), fred will be asked to enter the password for mikey via a System Password: prompt.

  • If we take root as an example, this becomes more interesting. When root logs in, it will be authenticated by the NT server (remember, we added a bogus root account). In this instance, we have entered the UNIX password; the authentication on the Windows server will fail (unless the password on both servers happens to be the same). In this instance, root will be logged in because we use the try_first_pass option. If we had entered a completely wrong password, we would be prompted by the libpam_unix.1 module to re-enter the password via a System Password: prompt. This may be a surprise to some administrators; this is the functionality of libpam_unix.1 ; read man pam_unix ! The other point to make about having a bogus root account is when we change the root password. Because we will use the NTLM module, first we will be asked for the old root password, because this is the protocol under Windows; this should prompt suspicion in the mind of a root user (unless we are running in a Trusted System). If you successfully supply the correct old password, you will then have an opportunity to change the password on the Windows Server. If you do not supply the correct old password, you will then fall through to use the UNIX semantics whereby you are not asked for an old password (unless in Trusted Systems). Finally, if we were to enter the correct password for the root account as stored on the Windows server, we will be allowed to log in. Some people may view this as a potential security problem with a second source potentially authenticating the root user. Utilizing separate, site-wide username and password policies for both platforms would help to alleviate this problem. Having passwords synchronized (or not, as the case may be) between platforms is another possible solution and is a topic beyond the scope of this chapter. This is worth remembering.

Because this is somewhat involved, we will go through a number of examples once we conclude the configuration.

20.5.2 Configure smb.conf to reference the NTLM server

Here, we need to change the client version of the smb.conf file to use domain level security that, in turn , requires us to configure the name of the password servers as well as a WINS server within our Windows domain. Here are the changes I made to the CIFS client smb.conf file to implement this new configuration:

 

 root@hpeos004[]  vi /etc/opt/cifsclient/pam/smb.conf  ... [global] ##  workgroup: NT-Domain-Name or Workgroup-Name  workgroup = UKDOM1  ##  password server: the netbios names of systems which will ##  be used to authenticate logins.  password server = NTPDC1  ##  wins server: the system used to locate password servers, ##  specified as a fully-qualified DNS name or an IP address.  wins server = NTPDC1  

20.5.3 Configure a user map to specifically reference individual UNIX users to be authenticated by the NTLM server

This step is optional. What the user map allows us to configure is a list of UNIX users who will have their passwords stored on the Windows server as before, but potentially under a different username. First, we configure the name of the file that maps the UNIX username to the Windows domain username; we accomplish this in the smb.conf file. We then construct the file that individually lists the UNIX-to-Windows username map.

 

 root@hpeos004[]  vi /etc/opt/cifsclient/pam/smb.conf  [Global]  Domain user map = /etc/opt/cifsclient/pam/domain_user.map  root@hpeos004[]  vi /etc/opt/cifsclient/pam/domain_user.map  barney = \UKDOM1\bambam 

20.5.4 Restart CIFS client daemon to pick up changes in smb.conf

Once we have made these necessary changes, it may be necessary to restart the cifsclientd daemon if we have changed any of the server specifications. If we have made only minor changes, we do not need to restart the daemon. We can simply use the clifsclient command to restart the cifsclientd process (NOTE: This will unmount all CIFS shares in the process of restarting the daemon):

 

 root@hpeos004[]  cifsclient restart  

20.5.5 Test the functionality of NTLM authentication

We perform a number of tests to ensure that all is working as expected. First, I need to configure syslog to capture the debug messages from the authentication subsystem; this does not happen by default. To make my life a little easier, I will separate out all authentication facility messages at the debug level or higher to a separate file from syslog.log :

 

 root@hpeos004[]  vi /etc/syslog.conf  # @(#)B.11.11_LR # # syslogd configuration file. # # See syslogd(1M) for information about the format of this file. # mail.debug              /var/adm/syslog/mail.log *.info;mail.none        /var/adm/syslog/syslog.log   auth.debug              /var/adm/syslog/pam_debug.log   *.alert                 /dev/console *.alert                 root *.emerg                 * root@hpeos004[] root@hpeos004[]  kill -HUP $(cat /var/run/syslog.pid)  root@hpeos004[]  ll /var/adm/syslog  total 132 -rw-r--r--   1 root       root         11067 Sep  9 18:31 OLDsyslog.log -r--r--r--   1 root       root             0 Sep 10 14:50   auth_debug.log   -r--r--r--   1 root       root         27914 Sep 10 09:08 mail.log -rw-r--r--   1 root       root         18806 Sep 10 14:50 syslog.log root@hpeos004[] 

  1. Let's start by ensuring that root can still log in using the HP-UX password = banana11 . The password for root stored on the Windows server is root . I will include extracts from the auth_debug.log file.

     root@hpeos004[]  pwget -n root  root:StW2t72yybduI:0:3::/:/sbin/sh root@hpeos004[]  telnet hpeos004  Trying... Connected to hpeos004. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login:  root  Password: Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). You have mail. Value of TERM has been set to "dtterm". WARNING:  YOU ARE SUPERUSER !! root@hpeos004[] 

Here is the extract from the auth_debug.log file:

 

 Sep 10 10:04:22 hpeos004 login: Entering ntlm pam_sm_authenticate: flags 0 Sep 10 10:04:22 hpeos004 login: ntlm pam_sm_authenticate(login, root), flags = 0 Sep 10 10:04:28 hpeos004 login: pam_ntlm: Incorrect NT password for username : root Sep 10 10:04:28 hpeos004 login: ntlm authentication failed! Bad Password Sep 10 10:04:28 hpeos004 login: ntlm_pam_authenticate: returning FAILURE Sep 10 10:04:28 hpeos004 login: pam_authenticate: error Authentication failed Sep 10 10:04:28 hpeos004 login: unix pam_sm_authenticate(login root), flags = 0 Sep 10 10:04:28 hpeos004 login: Entering ntlm pam_sm_acct_mgmt: flags 0 Sep 10 10:04:28 hpeos004 login: nltm pam_sm_acct_mgmt pam_get_data err=24 Sep 10 10:04:28 hpeos004 login: pam_acct_mgmt: error No account present for user Sep 10 10:04:28 hpeos004 login: Entering ntlm pam_sm_setcred ... Sep 10 10:04:28 hpeos004 login: pam_sm_setcred(): no module data 

The first thing I should point out is the slight delay you may experience while the authentication takes place. Normally, standard UNIX authentication is almost instantaneous. In this case, there was a perceived delay of approximately 0.5-1 second. Let's get back to the output from auth_debug.log . The first six lines highlight the attempt to authenticate root using the password banana11 ; this fails. We then see the UNIX authentication succeed. Finally, we see the Windows server trying to perform Account Management tasks for this user; that fails also.

  1. We will try to log in as fred ; remember, fred has an invalid password as far as HP-UX is concerned ( fred 's password on the Windows Server happens to be fred ).

     root@hpeos004[]  pwget -n fred  fred:*:105:20::/home/fred:/sbin/sh root@hpeos004[]  telnet hpeos004  Trying... Connected to hpeos004. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login:  fred  Password: Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). $  id  uid=105(fred) gid=20(users) $ 

Here's the accompanying output from auth_debug.log :

 

 Sep 10 10:12:00 hpeos004 login: Entering ntlm pam_sm_authenticate: flags 0 Sep 10 10:12:00 hpeos004 login: ntlm pam_sm_authenticate(login, fred), flags = 0 Sep 10 10:12:02 hpeos004 login: pam_ntlm: fred Succesfully logged is as fred Sep 10 10:12:02 hpeos004 login: ntlm authenticate passed! Sep 10 10:12:02 hpeos004 login: setCred succeed for fred, uid 105, size 260; Sep 10 10:12:02 hpeos004 login: ntlm_pam_authenticate: returning SUCCESS Sep 10 10:12:02 hpeos004 login: Entering ntlm pam_sm_acct_mgmt: flags 0 Sep 10 10:12:02 hpeos004 login: Entering ntlm pam_sm_setcred ... Sep 10 10:12:02 hpeos004 login: pam_sm_setcred(): no module data 

As we can see, fred is authenticated by the Windows Server.

  1. We will log in as mikey and ensure that we can change to another valid UNIX account (use the su command), in this case the user stevo .

     root@hpeos004[]  pwget -n mikey  mikey:3VYPC9Fw4Mr/.:103:20::/home/mikey:/sbin/sh root@hpeos004[]  pwget -n stevo  stevo:kXWYDiSgtDims:104:20::/home/stevo:/sbin/sh root@hpeos004[]  telnet hpeos004  Trying... Connected to hpeos004. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login:  mikey  Password: Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). $  su - stevo  Password: (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). $  id  uid=104(stevo) gid=20(users) $ 

Again, it is worthwhile to check the debug output from auth_debug.log to ensure that all is working as expected:

 

 Sep 10 10:17:12 hpeos004 login: Entering ntlm pam_sm_authenticate: flags 0 Sep 10 10:17:12 hpeos004 login: ntlm pam_sm_authenticate(login, mikey), flags = 0 Sep 10 10:17:17 hpeos004 login: pam_ntlm: Incorrect NT password for username : mikey Sep 10 10:17:17 hpeos004 login: ntlm authentication failed! Bad Password Sep 10 10:17:17 hpeos004 login: ntlm_pam_authenticate: returning FAILURE Sep 10 10:17:17 hpeos004 login: pam_authenticate: error Authentication failed Sep 10 10:17:17 hpeos004 login: unix pam_sm_authenticate(login mikey), flags = 0 Sep 10 10:17:17 hpeos004 login: Entering ntlm pam_sm_acct_mgmt: flags 0 Sep 10 10:17:17 hpeos004 login: nltm pam_sm_acct_mgmt pam_get_data err=24 Sep 10 10:17:17 hpeos004 login: pam_acct_mgmt: error No account present for user Sep 10 10:17:17 hpeos004 login: Entering ntlm pam_sm_setcred ... Sep 10 15:17:24 hpeos004 su: Entering ntlm pam_sm_authenticate: flags 0 Sep 10 15:17:24 hpeos004 su: ntlm pam_sm_authenticate(su, stevo), flags = 0 Sep 10 15:17:30 hpeos004 su: pam_ntlm: Incorrect NT password for username : stevo Sep 10 15:17:30 hpeos004 su: ntlm authentication failed! Bad Password Sep 10 15:17:30 hpeos004 su: ntlm_pam_authenticate: returning FAILURE Sep 10 15:17:30 hpeos004 su: pam_authenticate: error Authentication failed Sep 10 15:17:30 hpeos004 su: unix pam_sm_authenticate(su stevo), flags = 0 Sep 10 15:17:30 hpeos004 su: Entering ntlm pam_sm_acct_mgmt: flags 0 Sep 10 15:17:30 hpeos004 su: nltm pam_sm_acct_mgmt pam_get_data err=24 Sep 10 15:17:30 hpeos004 su: pam_acct_mgmt: error No account present for user Sep 10 15:17:30 hpeos004 su: Entering ntlm pam_sm_setcred ... Sep 10 15:17:30 hpeos004 su: + ta mikey-stevo 

Again, we see that both the login and su processes will try to authenticate the user on the Windows server; it will fail and then authenticate them on the HP-UX server.

  1. Here, we will demonstrate the problems of having duplicate accounts on both the Windows and HP-UX servers, namely the potential problem with the root user. You will recall that the root user on the Windows server has a password of root , and on the HP-UX server it has a password of banana11 . We will accidentally enter a completely wrong password. We should see that libpam_ntlm.1 fails to authenticate us; the password is passed to lib_pam.unix.1 (via the try_first_pass option), but this fails and libpam_unix.1 should issue a prompt of System Password: to enable us to enter the real UNIX root password. Let's see what happens:

     root@hpeos004[]  telnet hpeos004  Trying... Connected to hpeos004. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login:  root  Password:   garbage  password entered! System Password: Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). You have mail. Value of TERM has been set to "dtterm". WARNING:  YOU ARE SUPERUSER !! root@hpeos004[] 

Here is the output from auth_debug.log :

 

 Sep 10 13:00:39 hpeos004 login: Entering ntlm pam_sm_authenticate: flags 0 Sep 10 13:00:39 hpeos004 login: ntlm pam_sm_authenticate(login, root), flags = 0 Sep 10 13:00:45 hpeos004 login: pam_ntlm: Incorrect NT password for username : root Sep 10 13:00:45 hpeos004 login: ntlm authentication failed! Bad Password Sep 10 13:00:45 hpeos004 login: ntlm_pam_authenticate: returning FAILURE Sep 10 13:00:45 hpeos004 login: pam_authenticate: error Authentication failed Sep 10 13:00:45 hpeos004 login: unix pam_sm_authenticate(login root), flags = 0 Sep 10 13:00:55 hpeos004 login: Entering ntlm pam_sm_acct_mgmt: flags 0 Sep 10 13:00:55 hpeos004 login: nltm pam_sm_acct_mgmt pam_get_data err=24 Sep 10 13:00:55 hpeos004 login: pam_acct_mgmt: error No account present for user Sep 10 13:00:55 hpeos004 login: Entering ntlm pam_sm_setcred ... Sep 10 13:00:55 hpeos004 login: pam_sm_setcred(): no module data 

  1. The last test is to demonstrate the use of a share from the NTPDC1 server. We add an entry in the /etc/fstab file. We log in as the user fred and see if we can use the share without using the cifslogin command or having to provide a password to the cifsmount command. Here goes:

     root@hpeos004[]  echo "ntpdc1:/data /data cifs defaults 0 0" >> /etc/fstab  root@hpeos004[]  mount -aF cifs  root@hpeos004[]  bdf  Filesystem          kbytes    used   avail %used Mounted on /dev/vg00/lvol3    1302528 1051972  234905   82% / /dev/vg00/lvol1     111637   49319   51154   49% /stand /dev/vg00/lvol8     516096   87107  402251   18% /var /dev/vg00/lvol7     917504  755385  152046   83% /usr /dev/vg00/lvol4     204800  113745   85371   57% /tmp /dev/vg00/lvol6     851968  649868  189694   77% /opt /dev/vg00/lvol5      24576    1650   21542    7% /home NFS access failed for server ntpdc1: RPC: Remote system error NFS fsstat failed for server ntpdc1: RPC: Remote system error bdf: /data: I/O error root@hpeos004[]  telnet hpeos004  Trying... Connected to hpeos004. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login:  fred  Password: Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). $  cd /data  $  ll  total 5482 drwxrwxrwx   2 fred       users       131072 Sep 10 10:14 HP-NetAccess drwxrwxrwx   2 fred       users       131072 Sep 10 10:15 HPUX-tools -rwxrwxrwx   1 fred       users      2806496 Sep 10 11:56 NT-users.tif drwxrwxrwx   2 fred       users       131072 Sep 10 10:15 Netscape drwxrwxrwx   2 fred       users       131072 Sep 10 10:14 OfficeJetG95-Software drwxrwxrwx   2 fred       users       131072 Sep 10 10:20 free drwxrwxrwx   2 fred       users       131072 Sep 10 10:16 progs $  bdf  Filesystem          kbytes    used   avail %used Mounted on /dev/vg00/lvol3    1302528 1051972  234905   82% / /dev/vg00/lvol1     111637   49319   51154   49% /stand /dev/vg00/lvol8     516096   87233  402133   18% /var /dev/vg00/lvol7     917504  755385  152046   83% /usr /dev/vg00/lvol4     204800  113745   85371   57% /tmp /dev/vg00/lvol6     851968  649868  189694   77% /opt /dev/vg00/lvol5      24576    1650   21542    7% /home NFS access failed for server ntpdc1: RPC: Remote system error NFS fsstat failed for server ntpdc1: RPC: Remote system error bdf: /data: I/O error $  touch fred.file  $  ll  total 5482 drwxrwxrwx   2 fred       users       131072 Sep 10 10:14 HP-NetAccess drwxrwxrwx   2 fred       users       131072 Sep 10 10:15 HPUX-tools -rwxrwxrwx   1 fred       users      2806496 Sep 10 11:56 NT-users.tif drwxrwxrwx   2 fred       users       131072 Sep 10 10:15 Netscape drwxrwxrwx   2 fred       users       131072 Sep 10 10:14 OfficeJetG95-Software   -rwxrwxrwx   1 fred       users            0 Sep 10 15:27 fred.file   drwxrwxrwx   2 fred       users       131072 Sep 10 10:20 free drwxrwxrwx   2 fred       users       131072 Sep 10 10:16 progs $  bdf  Filesystem          kbytes    used   avail %used Mounted on /dev/vg00/lvol3    1302528 1051972  234905   82% / /dev/vg00/lvol1     111637   49319   51154   49% /stand /dev/vg00/lvol8     516096   87233  402133   18% /var /dev/vg00/lvol7     917504  755385  152046   83% /usr /dev/vg00/lvol4     204800  113745   85371   57% /tmp /dev/vg00/lvol6     851968  649868  189694   77% /opt /dev/vg00/lvol5      24576    1650   21542    7% /home NFS access failed for server ntpdc1: RPC: Remote system error NFS fsstat failed for server ntpdc1: RPC: Remote system error bdf: /data: I/O error $ 

As we can see, we are free to use the filesystem because the Windows server has authenticated us. Those credentials are used every time we wish to use the share; the bdf command is not actually using the share itself. Anyone trying to use the share will have his credentials checked in a similar way; next , we can see root trying to access the share with fred still logged in:

 

 root@hpeos004[]  cd /data  NFS access failed for server ntpdc1: RPC: Remote system error sh: /data: The specified directory is not valid. root@hpeos004[]  who  root       pts/0        Sep 10 09:32 root       pts/1        Sep 10 09:32 root       pts/2        Sep 10 09:32 fred       pts/ta       Sep 10 15:32 root       pts/3        Sep 10 10:41 root@hpeos004[] 

As you can see, the credentials don't allow access to anyone not already authenticated.



HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net