xref: /illumos-gate/usr/src/man/man7/pam_smbfs_login.7 (revision 08855964b9970604433f7b19dcd71cf5af5e5f14) 
 te
 Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 PAM_SMBFS_LOGIN 7 "August 19, 2023"
 NAME
pam_smbfs_login - PAM user credential authentication module for SMB/CIFS
client login

 SYNOPSIS
pam_smb_cred.so.1




 DESCRIPTION
The pam_smbfs_login module implements pam_sm_setcred(3PAM) to
provide functions that act equivalently to the smbutil(1) login command.


This optional functionality is meant to be used only in environments that do
not run Active Directory or Kerberos, but which synchronize passwords between
clients and their CIFS/SMB servers.


This module permits the login password to be stored as if the smbutil(1)
login command was used to store a password for PAM_USER in the user or system
default domain. The choice of default domain is the first of the following:


-Domain entry specified in the default section of the $HOME/.nsmbrc
file, if readable.


-Domain entry specified in the default section shown by the sharectl get smbfs
command.


-String WORKGROUP.


Because pam_smbfs_login runs as root during the login process, a
$HOME/.nsmbrc file accessed through NFS may only be readable if the file
permits reads by others. This conflicts with the requirement that passwords
stored in $HOME/.nsmbrc are ignored when permissions are open.


To use this functionality, add the following line to the /etc/pam.conf
file:

login auth optional pam_smbfs_login.so.1





Authentication service modules must implement both
pam_sm_authenticate(3PAM) and pam_sm_setcred(3PAM). In this module,
pam_sm_authenticate(3PAM) always returns PAM_IGNORE.


The pam_sm_setcred(3PAM) function accepts the following flags:
PAM_REFRESH_CRED


Returns PAM_IGNORE.



PAM_SILENT


Suppresses messages.



PAM_ESTABLISH_CRED


PAM_REINITIALIZE_CRED


Stores the authentication token for PAM_USER in the same manner as the
smbutil(1) login command.



PAM_DELETE_CRED


Deletes the stored password for PAM_USER in the same manner as the
smbutil(1) logout command.





The following options can be passed to the pam_smbfs_login module:
debug


Produces syslog(3C) debugging information at the LOG_AUTH or LOG_DEBUG
level.



nowarn


Suppresses warning messages.




 FILES
$HOME/.nsmbrc


Find default domain, if present.




 ERRORS
Upon successful completion of pam_sm_setcred(3PAM), PAM_SUCCESS is
returned. The following error codes are returned upon error:
PAM_USER_UNKNOWN


User is unknown.



PAM_AUTHTOK_ERR


Password is bad.



PAM_AUTH_ERR


Domain is bad.



PAM_SYSTEM_ERR


System error.




 ATTRIBUTES
See attributes(7) for descriptions of the following attribute:






ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Committed
MT Level MT-Safe with exceptions



 SEE ALSO
 smbutil (1),  syslog (3C),  libpam (3LIB),  pam (3PAM),  pam_setcred (3PAM),  pam_sm (3PAM),  pam_sm_authenticate (3PAM),  pam_sm_setcred (3PAM),  smbfs (4FS),  pam.conf (5),  attributes (7) 
 NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.