Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP CIFS Client A.01.09 Administrator's Guide: HP-UX 11.0 and 11i version 1 and 2 > Chapter 8 PAM NTLM

PAM NTLM Configuration
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Configure the following to set up PAM-NTLM:

  • The PAM-NTLM module

  • The system file /etc/pam.conf to use the PAM-NTLM module

  • A usermap file (optional)

Configuring the PAM NTLM Module

The PAM-NTLM configuration file is /etc/opt/cifsclient/pam/smb.conf. A default configuration file is also provided (smb.conf.default). Do no change the default configuration file because you may need to refer to it in the future.

Table 8-1 Title not available (Configuring the PAM NTLM Module)

##
## Name: smb.conf
##
## Set the values below to the actual names used in your environment ##
## Any line which starts with a semi-colon(;) or a hash(#) 
## is a comment and is ignored. 
##
##==================== Global Settings ============================
[global]
 
## workgroup: NT-Domain-Name or Workgroup-Name
   workgroup = workgroup
 
## password server: the netbios name of the system which will be ## used to authenticate logins.
   password server = pdc_name bdc1_name bdc2_name
## wins server: the system used to locate password servers, ## specified as a fully-qualified DNS name or an IP address. 
   wins server = winserv.mycorp.com

 

Configuring the system to use the PAM NTLM Module

This task consists of editing the global HP-UX PAM configuration file /etc/pam.conf.

IMPORTANT: You may not be able to log into the system if PAM is not correctly configured. Make sure that you understand the PAM framework before you modify pam.conf. For information on PAM, see these sections of HP-UX manpages: pam.conf(4), pam_unix(5).

For security reasons, HP strongly recommends you set up your system such that, for both authentication and password change, the host system (PAM UNIX), not the password server configured by PAM NTLM, authenticates root and other privileged users. Access on a per-user basis can be controlled through the use of libpam_updbe in pam.conf, and the ignore option to libpam_ntlm in pam_user.conf. See pam.conf(4), pam_user.conf(4), and pam_updbe(5) for explanations and examples of usage.

HP also recommends using PAM NTLM services in addition to, not in place of, PAM-UNIX. This configuration is depicted in the sample pam.conf file below.

PAM NTLM provides the following services:

  • Password Authentication

  • Password Change

  • Password Change Upon Notice of Expiration

Each service corresponds to a specific section of pam.conf. Add entries for the services you wish to use:

  • For Password Authentication, modify the Authentication management section of pam.conf.

  • For Password Change, modify Password management.

  • For Password Change Upon Notice of Expiration, modify Authentication management, Password management, and Account management (in order to utilize Password Change Upon Notice of expiration, you must also enable both Password Authentication and Password Change).

The following are sample pam.conf files with all three PAM NTLM services configured. Each PAM NTLM entry consistes of a line that refers to the shared library libpam_ntlm.1. In the authentication management section, when PAM NTLM is used in conjunction with PAM UNIX, it is recommended that the option try_first_pass be specified with the PAM-UNIX entry, as shown.

WARNING! If incorrect paths are used in pam.conf, it can become impossible to login to the system. Ensure that you refer to the pam.conf file that matches the version of HP-UX installed on your system (use uname -r to check the version). In particular, you should add lines to pam.conf exactly as shown without modifying paths. Starting with versions B.11.22 of HP-UX, paths to the PAM libraries are different than in earlier versions.

The following sample pam.conf file is for version B.11.22 of HP-UX:

Example 8-1 Sample file for HP-UX version B.11.22

=====================================================================
#
# PAM configuration
#
# Authentication management
# Note: For PA applications, /usr/lib/security/libpam_unix.so.1 is a
# symbolic link that points to the corresponding PA PAM module.
#
#
login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1
login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass
su auth required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction auth required /usr/lib/security/$ISA/libpam_unix.so.1
ftp auth required /usr/lib/security/$ISA/libpam_unix.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1
#
# Account management
#
login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1
login account required /usr/lib/security/$ISA/libpam_unix.so.1
su account required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction account required /usr/lib/security/$ISA/libpam_unix.so.1
ftp account required /usr/lib/security/$ISA/libpam_unix.so.1
#
OTHER account required /usr/lib/security/$ISA/libpam_unix.so.1
#
# Session management
#
login session required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin session required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction session required /usr/lib/security/$ISA/libpam_unix.so.1
OTHER session required /usr/lib/security/$ISA/libpam_unix.so.1
#
# Password management
#
login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1
login password required /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin password required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction password required /usr/lib/security/$ISA/libpam_unix.so.1
OTHER password required /usr/lib/security/$ISA/libpam_unix.so.1
=====================================================================

The following sample pam.conf file is for versions B.11.00 and B.11.11 of HP-UX:

Example 8-2 Sample file for HP-UX versions B.11.00 and B.11.11

#
# PAM configuration
#
# Authentication management
#
login      auth sufficient     /usr/lib/security/libpam_ntlm.1
login      auth required       /usr/lib/security/libpam_unix.1 try_first_pass
su     auth required       /usr/lib/security/libpam_unix.1
dtlogin   auth required     /usr/lib/security/libpam_unix.1
dtaction   auth required       /usr/lib/security/libpam_unix.1
ftp        auth required       /usr/lib/security/libpam_unix.1
OTHER      auth required       /usr/lib/security/libpam_unix.1
#
# Account management
#
login      account required    /usr/lib/security/libpam_ntlm.1
login      account required    /usr/lib/security/libpam_unix.1
su         account required    /usr/lib/security/libpam_unix.1
dtlogin    account required    /usr/lib/security/libpam_unix.1
dtaction   account required    /usr/lib/security/libpam_unix.1
ftp        account required    /usr/lib/security/libpam_unix.1
OTHER    account required    /usr/lib/security/libpam_unix.1
#
# Session management
#
login      session required    /usr/lib/security/libpam_unix.1
dtlogin   session required   /usr/lib/security/libpam_unix.1
dtaction   session required    /usr/lib/security/libpam_unix.1
OTHER      session required    /usr/lib/security/libpam_unix.1
#
# Password management
#
login      password sufficient /usr/lib/security/libpam_ntlm.1
login      password required   /usr/lib/security/libpam_unix.1
passwd     password required   /usr/lib/security/libpam_ntlm.1
dtlogin    password required   /usr/lib/security/libpam_unix.1
dtaction   password required   /usr/lib/security/libpam_unix.1
OTHER      password required   /usr/lib/security/libpam_unix.1

Configuring a User Map File

To configure PAM NTLM to use the user map file, add the following line to the [Global] section of the /etc/opt/cifsclient/pam/smb.conf file:

Domain user map = /etc/opt/cifsclient/pam/domain_user.map

You can configure the name and location of the user map file. For name and location, HP recommends the line as shown above.

The format of a domain user file entry is:

UNIXusername = [\\DOMAIN_NAME\\] DomainUserName

UNIXusername is an existing account on the HP-UX system; DomainUserName is the name of the user that is mapped in the NT domain. DOMAIN_NAME is optional.

The user map file is parsed line by line. If any line begins with a # or a; then the line is ignored. Each line should contain a single UNIX user name on the left and then a single NT Domain User name on the right, separated by a tabstop or '='. If either name contains spaces then you must enclose it in quotes.

Using NIS Distribution of the User Map File

The user map file is enabled to be distributed via NIS in a similar manner to the distribution of /etc/passwd to NIS clients.

To use this feature:

  1. Convert the master user map file into an NIS map file named domainusermap.byname on the NIS master server.

    NOTE: The NIS map file name domainusermap.byname is the default name that PAM NTLM uses for the NIS map file. You can configure a different NIS user map name in the PAM NTLM configuration file (/etc/opt/cifsclient/pam/smb.conf) of each NIS client. The configuration option is:

    nis ntuser mapname = <new usr map filename>

  2. In the user map file of each NIS client that will receive the distributed map file, add an entry with the plus sign (+) in the first column of the line. The plus sign is used to indicate that parsing the file should stop at that point and the remaining search of the user map file should use NIS calls to the NIS server.



PAM NTLM
  		 


Glossary  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.