How to Configure the PAM Module to Store a CIFS Persistent Password (Solaris CIFS Administration Guide)

Solaris CIFS Administration Guide

How to Configure the PAM Module to Store a CIFS Persistent Password

When installed, the pam_smbfs_login.so.1 module enables you to store a persistent password the same as if you had run the smbutil login command for PAM_USER in the user's or system's default domain.

This optional functionality is meant to be used only in environments that do not run Active Directory or Kerberos, but which synchronize passwords between Solaris clients and their CIFS/SMB servers.

For more information, see the pam_smbfs_login(5) man page.

Use your login name and password to store a persistent password.

Add the following line to the /etc/pam.conf file after the other login entries:
login auth optional pam_smbfs_login.so.1
This action adds a persistent password entry as if you had run the smbutil login command.

Note –
The PAM module implements a privilege to permit it to run as superuser to store your password.

Verify that your persistent password is stored.
$ smbutil login -c user

Example 4–1 Configuring the PAM Module to Store a Persistent Password

The following example shows how the domain is chosen. The system default is WORKGROUP. The WORKGROUP domain is overridden by any default from SMF, and finally by any default from the user's .nsmbrc file.

This example shows a default domain in SMF and for user terry:

# sharectl set -p section=default -p domain=AAA smbfs
# sharectl get smbfs
[default]
domain=AAA

A root login uses the domain from SMF:

# smbutil login -c terry
Keychain entry exists for AAA/terry.

A login as terry uses the domain from the ~terry/.nsmbrc file:

$ ls /.nsmbrc
/.nsmbrc: No such file or directory

$ cat ~/.nsmbrc
[default]
domain=MYDOMAIN
$ ls -l ~/.nsmbrc
-rw-r--r--   1 terry  staff         26 Feb 13 10:15 /home/terry/.nsmbrc
$ smbutil login terry
Keychain entry exists for MYDOMAIN/terry.

If Terry puts a password in ~terry/.nsmbrc, he must remove read permission. Also, because Terry's home directory is on an NFS server, the PAM module running as root cannot access Terry's file, so Terry would see the following and use the SMF domain instead:

$ chmod 400 .nsmbrc
$ logout

solarsystem console login: terry
Password:
Can't open /home/terry/.nsmbrc: Permission denied
$ su
Password:
# smbutil login -c terry
Keychain entry exists for AAA/terry.