24.1 Features and Benefits

A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, authorization and resource control services. Prior to the introduction of PAM, a decision to use an alternative to the system password database ( /etc/passwd ) would require the provision of alternatives for all programs that provide security services. Such a choice would involve provision of alternatives to programs such as: login , passwd , chown , and so on.

PAM provides a mechanism that disconnects these security programs from the underlying authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file /etc/pam.conf (Solaris), or by editing individual control files that are located in /etc/pam.d .

On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any authentication backend so long as the appropriate dynamically loadable library modules are available for it. The backend may be local to the system, or may be centralized on a remote server.

PAM support modules are available for:

/etc/passwd ” There are several PAM modules that interact with this standard UNIX user database. The most common are called: pam_unix.so , pam_unix2.so , pam_pwdb.so and pam_userdb.so .

Kerberos ” The pam_krb5.so module allows the use of any Kerberos compliant server. This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially Microsoft Active Directory (if enabled).

LDAP ” The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1, Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.

NetWare Bindery ” The pam_ncp_auth.so module allows authentication off any bindery-enabled NetWare Core Protocol-based server.

SMB Password ” This module, called pam_smbpass.so , will allow user authentication off the passdb backend that is configured in the Samba smb.conf file.

SMB Server ” The pam_smb_auth.so module is the original MS Windows networking authentication tool. This module has been somewhat outdated by the Winbind module.

Winbind ” The pam_winbind.so module allows Samba to obtain authentication from any MS Windows Domain Controller. It can just as easily be used to authenticate users for access to any PAM-enabled application.

RADIUS ” There is a PAM RADIUS (Remote Access Dial-In User Service) authentication module. In most cases, administrators will need to locate the source code for this tool and compile and install it themselves . RADIUS protocols are used by many routers and terminal servers.

Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone.

Once configured, these permit a remarkable level of flexibility in the location and use of distributed Samba Domain Controllers that can provide wide area network bandwidth efficient authentication services for PAM-capable systems. In effect, this allows the deployment of centrally managed and maintained distributed authentication from a single-user account database.