This is the README for pam_smb v0.8
--------------------------------------------------

pam_smb is a PAM module which allows authentication of UNIX users using an NT
server.

****************
What's New in this version -- 0.8
****************
Pam_smb now has Solaris 2.6 PAM support. It can be compiled using either the 
SunPro cc compiler or gcc-2.7.2.3 for Solaris 2.6. 

**************
Features
**************
	o Linux Redhat PAM support
	o GLIBC 2 support ( RH 5.0 )
	o Solaris 2.6 support
	o NT Domain support
	o Encrypted LANMAN password support.
	o Ability to use backup server in case of failure of primary.
	
******************
Old What's new 
******************
pam_smb now has support for encrypted passwords turned on. It will now use
encrypted LANMAN/NT passwords ala the encrypt password option on samba. This 
allows a SAMBA server using encrypted passwords to authenticate users now, so
you can now authenticate from the smbpasswd file by setting up samba with 
encrypted passwords switched on, and pointing the pam_smb.conf at the
localhost server. 

Encryption can be disabled by editing the Makefile.

****************
Getting pam_smb:
****************

ftp://ftp.csn.ul.ie/pub/linux/pam_smb/
or
http://www.csn.ul.ie/~airlied/pam_smb/

**********
Installing
**********
Untar the distribution and cd into the pam_smb directory.

Edit the Makefile.

for Linux:
	The Makefile should be find as is for Linux.

For Solaris 2.6:
	*N.B.* GNU Make is required.
	Comment out the Linux section and uncomment one of the
	Solaris section. Set the MAKE to your gnumake.

If you want to disable encrypted passwords you can change the option
at the top.
Run make and it should create a file pam_smb_auth.so.
Copy this file into the pam modules directory which for Redhat-4.2 is
/lib/security and for Solaris 2.6 is /usr/lib/security.

For Linux:
	You then need to change the configuration files in /etc/pam.d for the applications you wish to use NT authentication with.

My /etc/pam.d/login is as follows for NT authenticated logins.
Note the pam_smb_auth.so line.

#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth	   required	/lib/security/pam_smb_auth.so
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_pwdb.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
session    required	/lib/security/pam_pwdb.so

For Solaris:
	You need to change the /etc/pam.conf other line to

other   auth required   /usr/lib/security/pam_smb_auth.so.1

*************
Configuration
*************

The configuration file is stored in /etc/pam_smb.conf and it consists of three
 lines the first containing the NT DOMAIN to be logged on at and the second 
and third are the primary and secondary servers to use. Note these do not have 
to be NT server machines simply machines which can authenticate in the domain.

e.g.
Here is my local copy: where I have server INTEL41 and INTEL42 and the domain is the UNDERGRADUATE domain :
UNDERGRADUATE
INTEL41
INTEL42
----- end ------

*******************
General Information.
*******************

The module is a hacked together version of smblib-0.50, smb-NT-verify, the pam_unix_auth module, and changes made by myself to allow Domain logons and 
other stuff.

Notes:
	The user must be in the password file to allow the user to login.
	If the user hasn't a starred password the password in the file
	will work,
	If the user has a starred password it will go to the NT server
	and validate the user in the domain specified in the conf file

Thanks and a lot of the credit for this go to :

Andrew Morgan <morgan@parc.power.net> -- the Linux PAM project person, and 
writer of the pam_unix_auth.c module.

Richard Sharpe <sharpe@nmesis.enet.dec.com> -- the author of smblib which I
have used a lot of directly.

Christopher Burke <c.burke@mindware.com.au> -- the author of smb-NT-valid
from which I took the validation routine.

The encryption routine is taken straight from samba and is copyright
Andrew Tridgell (author of samba).

All work is my own fault so don't bother any of the above about any bugs
you find in it because I probably introduced them anyways ... 

BUGS: 
When runnning on a system designed for 2.1.x kernels telnetting to the machine from a box in the hosts file causes login to get SIGSEGV outside my code not sure why ..

******************
Contating Me
******************
Any Questions etc to David.Airlie@ul.ie
	
Dave Airlie 31/10/96
http://www.csn.ul.ie/~airlied
