Web lists-archives.com

Re: [Samba] Custom Authentication Plugin (passdb backend)




Hi Andrew!

On 03/26/2017 04:24 PM, Andrew Bartlett via samba wrote:
On Sat, 2017-03-25 at 19:30 -0700, Nick Coons via samba wrote:
I'm looking to create a "passdb backend" plugin so that Samba can
authenticate with our existing custom authentication system.

Can you describe a little more your current custom authentication
system and the capabilities it has?

Of course. The data is stored in a MySQL database, but as accessed through a JSON-RPC client/server model. So we would want to create a method (or set of methods) that request authentication or other information from the server.

For instance, we use it for OpenVPN connections. OpenVPN has a facility that allows us to reference an arbitrary script that exits with status 0 (success) or 1 (failure) to indicate whether or not the user's authentication attempt was successful. I know that Sambs is more complicated than that, but that's the idea.

We would be willing to extend the system however we need. For instance, the password hash that we store is likely incompatible, so we'd need to store a second hash of the user's password. We'd also need to store the user's password expiration date, last login timestamp, etc.

While we have built a pluggable auth and passdb system, creating and
deploying custom backends has turned out to be much harder to execute
in practice than originally expected.

In particular, the auth subsystem only covers NTLM authentication, but
not password chagnes nor machine account authentication (netlogon
ServerAuthenticateX), and passdb has so many arms and lets it is quite
difficult to implement (but more practical).

For us, it would be a read-only system. So we wouldn't need to do things like allow users to change their passwords, or provide any domain functionality. This would simply be for authenticating to access shares, and then using the correct user for filesystem permissions.

Both require that you have access to the NT hash of the user's password
(MD4(utf16_le(password)).

If access to that is available, it may be more practical to present
your existing DB in something that looks like our normal LDAP tree.

I'm certainly open to this, and this is something that we've put on our list of possible solutions as well. I assume this would be some sort of listener on port 389 (or 686 for LDAP with SSL) that when Samba's LDAP client connects and sends authentication requests (or other requests for information), we'd pull the info from our system and present it in an expected way. Never having built an LDAP server, I'm not exactly sure what this would entail, but probably a lot of reading on the LDAP spec. :-)

Anyway, if you can discuss what you have and need we can see how we can
help solve your problems.

I appreciate that.. thank you!

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba