# HOWTO: Samba with PAM_SMBPASS - Using your system account with Samba



## junovitch@ (Dec 18, 2014)

*Summary:*
Samba is a nifty tool and pretty much required if you want to share files with Windows.  I had never really cared for the extra efforts needed to setup usernames for Samba so when I've read about the PAM_SMBPASS option, I found that was exactly what I was looking for.  If you are already using NFS and normal system accounts on your machine and want to pull Samba into the fold with minimal effort, than using PAM_SMBPASS will let you do that and maintain it fairly seamlessly.  Hopefully, things will just work and you'll never have to touch `smbpasswd` to separately change passwords for Samba again.

*Pros:*
Set things up the way you like and you'll never have to touch the `smbpasswd` command.

*Cons:*
The PAM configuration is a potential point of failure.  If you remove Samba or accidentally install the public version of Samba now without PAM_SMBPASS, PAM will have issues logging in when it can't find the module it's configured to use.

*HOWTO:*
My goal here is to primarily cover Samba with the PAM portion, however I'll describe my whole configuration from top to bottom.  I'm not a Samba expert so please mention if there are any recommendations that should be better.  What is below works for me and there are far more detailed guides out there for how to configure Samba but seemingly minimal information regarding configuring PAM_SMBPASS.

Samba Installation:
Install Samba 4.1 with PAM_SMBPASS checked:
`cd /usr/ports/net/samba41`
`make WITH="PAM_SMBPASS" install`

Alternately, you can also do the following to save yourself compiling time.
`pkg install samba41` to install all the dependencies.
`cd /usr/ports/net/samba41`
`make deinstall`
`make WITH="PAM_SMBPASS" install`

If you are using Poudriere, which is what I use to maintain my local packages you can add net/samba41 to your package list along with the following make.conf option and install through your local repository afterwards.

```
net_samba41_SET+=PAM_SMBPASS
```

Samba Configuration:
Samba is compiled with AIO support, so let's enable loading the AIO module at boot and load it now.
`echo 'aio_load="YES"' >> /boot/loader.conf`
`kldload aio`

Now for a Samba configuration file.  There's nothing too fancy here.  This configuration is jail friendly since it only binds on the host.  There are also a few ACL options, such as a the zfsacl and nfs:* option that I've found required to get around Samba filling the logs with messages about "unknown tag type 64" when sharing off of ZFS.

```
cat > /usr/local/etc/smb4.conf << 'EOF'
[global]
    interfaces = 10.100.102.2/32 127.0.0.1/32
    hosts allow = 10.100.
    bind interfaces only = yes
    case sensitive = yes
    security = user

    unix extensions = no
    nt acl support = yes
    inherit acls = no
    map acl inherit = yes

[homedirs]
    path = /zfs/homedirs
    comment = Home Directories
    vfs objects = zfsacl
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes
    available = yes
    browseable = yes
    read only = no
    public = no
    guest ok = no
    writable = yes
'EOF'
```

PAM Configuration:
Now for the PAM configuration.  Once you start, *do not exit your shell*.  Validate you can log in from a second one before you exit your shell as if your PAM configuration gets messed up you can have problems.

If you would like users to log in with SSH to automatically get their account and password migrated over to Samba, add the following.  Unfortunately this doesn't work with SSH key logins so you'll have to resort to using the other configurations below.

```
patch /etc/pam.d/sshd << 'EOF'
--- /etc/pam.d/sshd  2014-11-30 19:14:17.000000000 +0000
+++ /etc/pam.d/sshd     2014-11-30 19:24:09.000000000 +0000
@@ -10,6 +10,7 @@
#auth          sufficient      pam_krb5.so             no_warn try_first_pass
#auth          sufficient      pam_ssh.so              no_warn try_first_pass
auth           required        pam_unix.so             no_warn try_first_pass
+auth           optional        /usr/local/lib/pam_smbpass.so   try_first_pass migrate

# account
account                required        pam_nologin.so
'EOF'
```
If you would like local system logins to create and update Samba, you can add this same line to your /etc/pam.d/system.  However, this adds minimal value if you normally log in remotely.   Having a local system login if the PAM configuration is wrong is a good fallback to keep.

If you would like users that change their password locally to automatically get their account and new password migrated over to Samba, add the following.

```
patch /etc/pam.d/passwd << 'EOF'
--- /etc/pam.d/passwd        2014-11-30 18:47:55.000000000 +0000
+++ /etc/pam.d/passwd   2014-11-30 19:33:31.000000000 +0000
@@ -9,3 +9,4 @@
# password
#password      requisite       pam_passwdqc.so         enforce=users
password       required        pam_unix.so             no_warn try_first_pass nullok
+password       optional        /usr/local/lib/pam_smbpass.so   try_first_pass migrate
'EOF'
```

I've configured both options above however you are welcome select only what you need or attempt to configure additional PAM services inside the /etc/pam.d directory.

Enable and start up Samba.  Don't exit your shell just yet!
`sysrc samba_server_enable=YES`
`service samba_server start`

Testing:
1. If you've never used Samba and have no users, the following won't show anything:`pdbedit -vL`
2. Now log in from another terminal using SSH with a password and run pdbedit again.  You should see your username.  Make note of what time the password was changed.
3. Set a new password using `passwd` and check again using pdbedit.  Verify the password change time has changed from what step two showed.   If desired you can set your password a second time to set it back to the original password.
4. If all is well and you can login and change password just fine, your PAM configuration is good and you can finally exit your original shell.  If you have issues at any point, go back and review your PAM configuration changes.


----------

