mod_auth_samba - Apache Authentication Module
mod_auth_sanba allows you use Windows user database for user password
authentication and ndbm database for groups in WWW authentication.
Table of Content
- Apache 1.2.x
- Version 1.0
- Apache 1.3.x
- Version 1.1
The following directives have been added which you can put in a
<Directory>, <Location> or .htaccess:
- AuthSambaEnabled On|Off
- If Off, Samba will decline all requests. This can be useful in
case you have virtual hosts in use and don't want to use Samba on some
of them. Default is On.
- AuthSambaAuthoritative On|Off
- If On, the system files are considered authorative, control will not
be passed to other access control modules. Off allows you to use this
with other access modules, to allow access for users defined
in a .htpasswd file as well as other users on the system.
To enable this functionality, this module should be included after
mod_auth in your configuration file. Default is On.
- AuthSambaDomain Domain1:NT1,NT2 Domain2:NT3
- Specifies, which domains are to be used and what are their domain
controllers. NT5 is only used if user didn't validate against
Domain1 and NT3 and NT4 reported server or
protocol error, when mod_auth_samba tried to connect to them.
- AuthSambaGroupDbm database
- Database, which has information about users and groups, where they
belong. User is the key and group names form the data.
- AuthSambaCacheTimeout seconds
- If username password pair is found from cache buffer, we check if
it has already past timeout period or in it. If timeout has happened,
we ignore cached information and try validation to domain controller.
Default is 43200 seconds (= 12 hours). All failed authentications are
tested against Windows servers so that proper accounts get locked and
users can use their changed passwords.
Here is example from .htaccess file that uses mod_auth_samba.
AuthSambaDomain DOMAIN:dc DOMAIN1:dc1
<Limit GET POST>
require group 6333 6335 6212 6215 2011 2012 2013 2030 2100 2200
require group 6892 6893 6894 6896 6898 1592 9050 9900
mod_auth_samba is built on top of mod_auth_sys and
pam_smb. mod_auth_sys provided the frame for module, while pam_smb
provided necessary routines for accessing Windows NT user
Authentication operation takes following steps:
- Local cache is checked for username-password pair
- If none is found, it has expired or it doesn't match with input,
we try to validate on NT domain controllers (
- If username-password pair didn't check up, module stops in
here. Otherwise it continues.
- Store username-password pair into cache.
- Group check
It should be noted that in group check, its assumed that on data part,
you have one empty space before and one after each group.
System has been tested on following setups:
- Debian 2.2 (frozen) running Apache 1.3.12 with pam_smb 1.1.5
- RedHat Linux 5.x,6.1
- Solaris 2.6 & 7 (Ultra 2 & Ultra 450) running Apache 1.2.6 with pam_smb 1.0
- Before version 0.9
- Sparc (Ultra 2) running Solaris 2.5.1, Apache 1.2.0 with smblib
0.50 (with minor bug fix in smblib).
- Sparc (Ultra 2 & Ultra 450) running Solaris 2.6, Apache 1.2.4-6 with smblib
(with minor bug fix in smblib).
- Sparc clone running SunOS 4.3.1, Apache 1.2.4 with smblib 0.50
- With some hacking on AIX, FreeBSD and Redhat (Linux).
Installation (for Apache 1.2.x)
To enable this module, install pam_smb library, unpack
mod_auth_samba, copy mod_auth_samba.h and mod_auth_samba.c
into src subdirectory, add following lines into your Configuration
Module samba_auth_module mod_auth_samba.o
Rebuild the configuration using Configure and run the make.
Installation (for Apache 1.3.x)
Installation on Apache 1.3.3 is little bit different and whole lot simpler.
If you are working on Linux platform, see Linux specific installation help from followup section in bug 103256. For other platforms, instructins are following:
cp some/where/out/there/mod_auth_samba.* src/modules/extra/
setenv LIBS "/lib/security/pam_smb_auth.so -lpam"
- Group management. Our solution to this problem was to build
external process that collected and grouped usernames from electronic
phonebook and placed the information into ndbm database. Its not ideal
for environments were you have well designed Windows NT groups, but
thats the way its been done.
- Switch from ndbm to Berkeley db, to make life with Linux easier and guarantee that we can also support it in future.
- Make mod_auth_samba to be one of those nifty modules, which you can be dynamically loaded (instead of current requiremnt about static linking)
- mod_auth_samba (mandatory)
pam_smb is required by mod_auth_samba
- mod_ssl can
be used to provide extra security
- Fortify is needed, if you
wish to get real security for Netscape browsers
- Ylitalo J., Case Study about User Authentication and Management in
WWW, In Proc 1st International System Administration and
Networking Conference (SANE'98) Nov 18th-20th,
1998, Maastricht, The Netherlands (see proceedings & slides)
This module has some rather significant security considerations.
Since the system password file is used, passwords captured during
transit over the internet can be used to break into your system.
Remember, passwords are transferred in clear text for every secure
page that's accessed unless you use SSL as additional layer of
This module is derived from work done by the Apache Group and is
subject to the same terms and conditions as the Apache server.