mod_auth_samba - Apache Authentication Module

mod_auth_sanba allows you use Windows user database for user password authentication and ndbm database for groups in WWW authentication.

Table of Content

Download

Apache 1.2.x: Version 1.0
Apache 1.3.x: Version 1.1

Configuration

The following directives have been added which you can put in a <Directory>, <Location> or .htaccess:

AuthSambaEnabled On|Off: If Off, Samba will decline all requests. This can be useful in case you have virtual hosts in use and don't want to use Samba on some of them. Default is On.
AuthSambaAuthoritative On|Off: If On, the system files are considered authorative, control will not be passed to other access control modules. Off allows you to use this with other access modules, to allow access for users defined in a .htpasswd file as well as other users on the system. To enable this functionality, this module should be included after mod_auth in your configuration file. Default is On.
AuthSambaDomain Domain1:NT1,NT2 Domain2:NT3 ,NT4,NT5: Specifies, which domains are to be used and what are their domain controllers. NT5 is only used if user didn't validate against Domain1 and NT3 and NT4 reported server or protocol error, when mod_auth_samba tried to connect to them.
AuthSambaGroupDbm database: Database, which has information about users and groups, where they belong. User is the key and group names form the data.
AuthSambaCacheTimeout seconds: If username password pair is found from cache buffer, we check if it has already past timeout period or in it. If timeout has happened, we ignore cached information and try validation to domain controller. Default is 43200 seconds (= 12 hours). All failed authentications are tested against Windows servers so that proper accounts get locked and users can use their changed passwords.

Example

Here is example from .htaccess file that uses mod_auth_samba.

AuthAuthoritative Off
AuthSambaAuthoritative On
AuthType Basic
AuthName Company_Intranet
AuthUserFile /usr/local/www/auth/users
AuthGroupFile /usr/local/www/auth/groups
AuthSambaDomain DOMAIN:dc DOMAIN1:dc1
AuthSambaGroupDbm /usr/local/www/auth/group
<Limit GET POST>
require group 6333 6335 6212 6215 2011 2012 2013 2030 2100 2200
require group 6892 6893 6894 6896 6898 1592 9050 9900
</Limit>

Technical Notes

mod_auth_samba is built on top of mod_auth_sys and pam_smb. mod_auth_sys provided the frame for module, while pam_smb provided necessary routines for accessing Windows NT user database.

Authentication operation takes following steps:

Local cache is checked for username-password pair
If none is found, it has expired or it doesn't match with input, we try to validate on NT domain controllers (Valid_User() from pam_smb)
If username-password pair didn't check up, module stops in here. Otherwise it continues.
Store username-password pair into cache.
Group check

It should be noted that in group check, its assumed that on data part, you have one empty space before and one after each group.

Tested on

System has been tested on following setups:

Debian 2.2 (frozen) running Apache 1.3.12 with pam_smb 1.1.5
RedHat Linux 5.x,6.1
Solaris 2.6 & 7 (Ultra 2 & Ultra 450) running Apache 1.2.6 with pam_smb 1.0
Before version 0.9
- Sparc (Ultra 2) running Solaris 2.5.1, Apache 1.2.0 with smblib 0.50 (with minor bug fix in smblib).
- Sparc (Ultra 2 & Ultra 450) running Solaris 2.6, Apache 1.2.4-6 with smblib 0.50 (with minor bug fix in smblib).
- Sparc clone running SunOS 4.3.1, Apache 1.2.4 with smblib 0.50 (with bugfix)
- With some hacking on AIX, FreeBSD and Redhat (Linux).

Installation (for Apache 1.2.x)

To enable this module, install pam_smb library, unpack mod_auth_samba, copy mod_auth_samba.h and mod_auth_samba.c into src subdirectory, add following lines into your Configuration file:

EXTRA_LIBS=/lib/security/pam_smb_auth.so -lpam
Module samba_auth_module     mod_auth_samba.o

Rebuild the configuration using Configure and run the make.

Installation (for Apache 1.3.x)

Installation on Apache 1.3.3 is little bit different and whole lot simpler. If you are working on Linux platform, see Linux specific installation help from followup section in bug 103256. For other platforms, instructins are following:

cp some/where/out/there/mod_auth_samba.* src/modules/extra/
setenv LIBS "/lib/security/pam_smb_auth.so -lpam"
./configure --add-module=src/modules/extra/mod_auth_samba.c

Problems, etc.

Group management. Our solution to this problem was to build external process that collected and grouped usernames from electronic phonebook and placed the information into ndbm database. Its not ideal for environments were you have well designed Windows NT groups, but thats the way its been done.

TODO

Switch from ndbm to Berkeley db, to make life with Linux easier and guarantee that we can also support it in future.
Make mod_auth_samba to be one of those nifty modules, which you can be dynamically loaded (instead of current requiremnt about static linking)

References

Software Components

mod_auth_samba (mandatory)
- CVS tree at SourceForge
- Project page at SourceForge
pam_smb is required by mod_auth_samba
mod_ssl can be used to provide extra security
Fortify is needed, if you wish to get real security for Netscape browsers

Papers

Ylitalo J., Case Study about User Authentication and Management in WWW, In Proc 1st International System Administration and Networking Conference (SANE'98) Nov 18th-20th, 1998, Maastricht, The Netherlands (see proceedings & slides)

Disclaimers

This module has some rather significant security considerations. Since the system password file is used, passwords captured during transit over the internet can be used to break into your system. Remember, passwords are transferred in clear text for every secure page that's accessed unless you use SSL as additional layer of security.

This module is derived from work done by the Apache Group and is subject to the same terms and conditions as the Apache server.