				pam_smb v1.3.8(alpha)
				---------------------
What is pam_smb?
=--------------=

pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server. This version is an alpha test version use at your *own* risk.


What's New in this version -- 1.3(beta)?
=---------------------------------------=

*** This is an ALPHA/BETA release - it is more than likely broken ***

This alpha release has more complete caching code (using Berkeley DB 1.85), and has the 
cache management system working, username mapping also seems to work fine, next versions
will have smb and ntdom support combined and some interworking with the samba maps.
This releases fixes the caching cleanup code, and also fixes a few other bugs and memory leaks.

How to I get pam_smb?
=-------------------=

pam_smb is available from any samba FTP mirror (http://samba.org/samba)
or from the anonymous CVS tree (http://cvs.samba.org/cvs.html)

It is also available from the authors primary site (in Ireland):

ftp://ftp.csn.ul.ie/pub/linux/pam/pam_smb/
or
http://www.csn.ul.ie/~airlied/pam_smb/

How do I install it?
=------------------=

1)Untar the distribution and cd into the pam_smb directory.

2) Run configure
./configure
If you want to place the pamsmbd somewhere other than /usr/local/sbin
./configure --sbindir=/usr/sbin
If you want to disable encrypted passwords you can run 
./configure --disable-encrypt-pass
If you want to disable the daemon support you can use 
./configure --disable-use-daemon
(this option produces the old style module that only reads the simple
config file and does no extra features).

3) run make (must be GNU make)
make 
make install
This will install
pam_smb_auth.so in /lib/security
and 
pamsmbd in usually /usr/local/sbin/pamsmbd

How do I Configure it?
=--------------------=

The pam_smb modules has four configuration steps,
	a) pam.conf and /etc/pam.d configuration + command line parameters.
	b) pam_smb configuration file.
	c) ntmap.db username mapping database
	d) starting pamsmbd at boot time.

a) pam.conf, /etc/pam.d and command line options
	The first thing that needs to be done is the pam module needs
to be inserted into the pam system configuration files so that it is used
for the services the administrator wishes. This procedure is slightly different under Linux and Solaris.

For Linux: the pam config files are stored in /etc/pam.d (one for each service)
my /etc/pam.d/login file is included here

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_smb_auth.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so

note the pam_pwdb auth line is removed or commented out.

For Solaris:
        You need to change the /etc/pam.conf other line to

other   auth required   /usr/lib/security/pam_smb_auth.so.1

Pam_smb has some command line parameters that can be passed within the PAM configuration files:
(Most installations can skip this step as the module will work grand without any command line arguments.)

	1. debug - This switches on syslog debugging of the module.
	2. use_first_pass - This is a standard PAM Module command line option.
	*********** N.B. Danger lurks here somewhere *****************
	3. nolocal - This allows authentication of a username/password
			pair which are not in the local password file.
		 Do not switch this on unless you know what you are at.
	**************************************************************

b) pam_smb.conf configuration file

The configuration file is stored in /etc/pam_smb.conf and it consists of a single line
which contains a comma separated lists consisting of domain,server1,server2. 

NB: there are no spaces in this file.
e.g.
Here is my local copy: where I have server INTEL41 and INTEL42 and the domain is the UNDERGRADUATE domain :
UNDERGRADUATE,INTEL41,INTEL42
----- end ------

c) ntmap.db username mapping database.

First of all this configuration file is only required if username mapping or multiple domain support is required. The ntmap.db is a berkley db-style hashed database. It uses libdb, and makemap is used to generate it. Full configuration information for this is in the file ntmap.example which is an example database.
The program ntmap.sh can be used to convert the current ntmap.example file into /etc/ntmap.db, this filename is hard coded at the moment.

d) Starting pamsmbd at boot-time.
 
pamsmbd needs to be started at boot-time, this depends on your distribution, shouldn't be that hard for you to figure out.

Where did pam_smb come from?
=--------------------------=

The module is a hacked together version of smblib-0.50, smb-NT-verify, the pam_unix_auth module, and changes made by myself to allow Domain logons and 
other stuff.

The original authors of many of the parts were:

Andrew Morgan <morgan@parc.power.net> -- the Linux PAM project person, and 
writer of the pam_unix_auth.c module.

Richard Sharpe <sharpe@nmesis.enet.dec.com> -- the author of smblib which I
have used a lot of directly.

Christopher Burke <c.burke@mindware.com.au> -- the author of smb-NT-valid
from which I took the validation routine.

The encryption routine is taken straight from samba and is copyright
Andrew Tridgell (author of samba).

The username mapping code was written by Andrew Speer(aspeer@isolutions.com.au) for the original module only pam_smb, and I have tried to re-use as it for the client-server.

The caching idea came from David Jordan (david.jordan@webbins.co.uk), he
wrote code to make this work under the original pam_smb, I have taken his ideas
on board.

Thanks to mirko.dziadzka@systor.com for finding the guest problem,
I had no proper testing abilities here....

Is there any known bugs in pam_smb?
=---------------------------------=

In all version up to 1.1 there is a bug with login that when pam_smb is
used login can under some circumstances segfault --

This bug is now a bug in login.c a patch to login.c from util-linux
is available on the primary site for pam_smb.

Old What's new 0.7, 0.8, 0.9, 1.0
=--------------------------------=
1.0--
pam_smb v1.0 now has GNU autoconf capabilities ...
This makes configuring to run on Linux or Solaris easy.

0.9--
PAM_SMB now has syslog debugging support and supports some PAM command
line options, fixed RH5.0 imap/pop support.

There is also a command line option to disable local password file checking.
This means no local passwd file or shadow checking is done. This means
a username not in the password file can be checked, this feature is for
people who supply UID's and other information from another module
i.e. Radius or something similar. I advise leaving if off as it stops root
from logging in if switched off.              

0.8--
Pam_smb now has Solaris 2.6 PAM support. It can be compiled using either the 
SunPro cc compiler or gcc-2.7.2.3 for Solaris 2.6. 

pam_smb now has support for encrypted passwords turned on. It will now use
encrypted LANMAN/NT passwords ala the encrypt password option on samba. This 
allows a SAMBA server using encrypted passwords to authenticate users now, so
you can now authenticate from the smbpasswd file by setting up samba with 
encrypted passwords switched on, and pointing the pam_smb.conf at the
localhost server. 

0.7--
Encryption can be disabled by editing the Makefile.


Contating Information
=-------------------=
This software is released under the GPL as found in the COPYING file
enclosed.

Any Questions to the author at airlied@samba.org or airlied@linux.ie
	
Dave Airlie 30/07/99
http://www.linux.ie/~airlied
