mod_auth_samba - Apache Authentication Module

mod_auth_sanba allows you use Windows user database for user password authentication and ndbm database for groups in WWW authentication.

Table of Content

Configuration
Technical Notes
Tested On...
Installation
Problems
References
Changes between versions
Disclaimers

Configuration

The following directives have been added which you can put in a <Directory>, <Location> or .htaccess:

AuthSambaEnabled On|Off: If Off, Samba will decline all requests. This can be useful in case you have virtual hosts in use and don't want to use Samba on some of them. Default is On.
AuthSambaAuthoritative On|Off: If On, the system files are considered authorative, control will not be passed to other access control modules. Off allows you to use this with other access modules, to allow access for users defined in a .htpasswd file as well as other users on the system. To enable this functionality, this module should be included after mod_auth in your configuration file. Default is On.
AuthSambaDomain Domain1:NT1,NT2 Domain2:NT3,NT4,NT5: Specifies, which domains are to be used and what are their domain controllers. NT5 is only used if user didn't validate against Domain1 and NT3 and NT4 reported server or protocol error, when mod_auth_samba tried to connect to them.
AuthSambaGroupDbm database: Database, which has information about users and groups, where they belong. User is the key and group names form the data.
AuthSambaCacheTimeout: If username password pair is found from cache buffer, we check if it has already past timeout period or in it. If timeout has happened, we ignore cached information and try validation to domain controller. Default is 43200 seconds (= 12 hours). All failed authentications are tested against Windows servers so that proper accounts get locked and users can use their changed passwords.

Example

Here is example from .htaccess file that uses mod_auth_samba.

AuthAuthoritative Off
AuthSambaAuthoritative On
AuthType Basic
AuthName Company_Intranet
AuthUserFile /usr/local/www/auth/users
AuthGroupFile /usr/local/www/auth/groups
AuthSambaDomain NTC:ntcite07es NTC_CO:ntccsc01co
AuthSambaGroupDbm /usr/local/www/auth/group
<Limit GET POST>
require group 6333 6335 6212 6215 2011 2012 2013 2030 2100 2200 
require group 2410 2689 6265 6300 6310 6320 6360 6476 6890 6891 
require group 6892 6893 6894 6896 6898 1592 9050 9900
</Limit>

Technical Notes

mod_auth_samba is built on top of mod_auth_sys and pam_smb. mod_auth_sys provided the frame for module, while pam_smb provided necessary routines for accessing Windows NT user database.

Authentication operation takes following steps:

Local cache is checked for username-password pair
If none is found, it has expired or it doesn't match with input, we try to validate on NT domain controllers (Valid_User() from pam_smb)
If username-password pair didn't check up, module stops in here. Otherwise it continues.
Store username-password pair into cache.
Group check

It should be noted that in group check, its assumed that on data part, you have one empty space before and one after each group.

Tested on

System has been tested on following setups:

HP-UX (10.20 or 11.00)
RedHat Linux 5.x
Solaris 2.6 (Ultra 2 & Ultra 450) running Apache 1.2.6 with pam_smb 1.0
Before version 0.9
- Sparc (Ultra 2) running Solaris 2.5.1, Apache 1.2.0 with smblib 0.50 (with minor bug fix in smblib).
- Sparc (Ultra 2 & Ultra 450) running Solaris 2.6, Apache 1.2.4-6 with smblib 0.50 (with minor bug fix in smblib).
- Sparc clone running SunOS 4.3.1, Apache 1.2.4 with smblib 0.50 (with bugfix)
- With some hacking on AIX, FreeBSD and Redhat (Linux).

Installation (for Apache 1.2.x)

To enable this module, install pam_smb library, unpack mod_auth_samba, copy mod_auth_samba.h and mod_auth_samba.c into src subdirectory, add following lines into your Configuration file:

EXTRA_LIBS=/lib/security/pam_smb_auth.so -lpam
Module samba_auth_module     mod_auth_samba.o

Rebuild the configuration using Configure and run the make.

Installation (for Apache 1.3.x)

Installation on Apache 1.3.3 is little bit different and whole lot simpler.

cp some/where/out/there/mod_auth_samba.* src/modules/extra/
setenv LIBS "/usr/lib/security/pam_smb_auth.so -lpam"
./configure --add-module=src/modules/extra/mod_auth_samba.c

Problems, etc.

Group management. Our solution to this problem was to build external process that collected and grouped usernames from electronic phonebook and placed the information into ndbm database. Its not ideal for environments were you have well designed Windows NT groups, but thats the way its been done.
So far we haven't heard reports about any successful ports to other than Sun based systems. If you know existing HP or Linux port from smblib and mod_auth_samba, mail me.

References

Software Components

mod_auth_samba (mandatory)
pam_smb is required by mod_auth_samba
mod_ssl can be used to provide extra security
Fortify is needed, if you wish to get real security for Netscape browsers

Papers

Ylitalo J., Case Study about User Authentication and Management in WWW, In Proc 1st International System Administration and Networking Conference (SANE'98) Nov 18th-20th, 1998, Maastricht, The Netherlands (see proceedings & slides)

Changes

Between 1.1 and 1.0

Bad news is that I haven't created Apache 1.2.x version from this module.
Good news are that this version has been tested on Apache 1.3.3 and results are very promising.
I also fixed the annoying "500 server exception", which used to appear if user did successful SMB authentication, but didn't belong to correct groups.

Between 1.0 and 0.9

Module has existed over a year, there have been successful installation to varitety of OSes, etc. so I guess we should finally call it 1.0
0.9 had serious security bug in away that it handled pam_smb return values. Thanks to Scott D. Mackay from fixing it.

Between 0.9 and 0.6

smblib was replaced with pam_smb to get the encryption, better crossplatform, and future support are so big benefit that it alone justifies the change.
- Since pam_smb requires domain name, AuthSambaDomainController was replaced with AuthSambaDomain. This causes some additional work for webmaster, but couldn't be avoided. Sorry folks.
Rebuild the makefile to be bit little more sensible.
This page was updated to notice that it now exists in Apache Module Registery.
Version number skipped few steps in hope that this would work in multiple platforms (well, if Windows & Solaris is enough for Javasoft, I guess I can happily settle for Linux & Solaris :)

Between 0.6 and 0.5

Bug fix to "require user" management.
Bug fix to ndbm's key management.

Between 0.5 and 0.3

There was serious flaw in away how "require" parts were handled. In previous versions, you were unable to use combination of "require group" and "require user". This has been fixed.

Between 0.3 and 0.2

Samba directive naming was synchronized to start with AuthSamba
Memory based password caching was dumped, because each Apache client process has very limited lifespan (default is 30 requests).
ndbm based password caching was created. Passwords are crypt()ed to offer some protection to them. Cache is stored in /tmp/.mod_auth_samba and each password expires in 60 minutes after which its once again authenticated against AuthSambaDomainServer.

Between 0.2 and 0.1

Caching functionality was added.
AuthSambaEnable option was added.
Some of the other ocnfiguration directives were renamed to avoid overlap with ModAuthSys

Disclaimers

This module has some rather significant security considerations. Since the system password file is used, passwords captured during transit over the internet can be used to break into your system. Remember, passwords are transferred in clear text for every secure page that's accessed unless you use SSL as additional layer of security.

This module is derived from work done by the Apache Group and is subject to the same terms and conditions as the Apache server.