This file describes howto get/install and configure pam_smb.

How to I get pam_smb?
=-------------------=

pam_smb is available from any samba FTP mirror (http://samba.org/samba)
or from the anonymous CVS tree (http://cvs.samba.org/cvs.html)

PLEASE PLEASE use the ftp mirrors or CVS, it will be much faster for you, primary site below is really slow from outside Ireland.

It is also available from the authors primary site (in Ireland):
ftp://ftp.csn.ul.ie/pub/linux/pam/pam_smb/

The webpage for pam_smb and FAQ are at:

http://www.csn.ul.ie/~airlied/pam_smb/

How do I install pam_smb?
=-----------------------=

Unpack the distribution and cd to the top level directory.
pam_smb uses the GNU configure system, so run

./configure
make
make install

make install
This will install
pam_smb_auth.so in /lib/security
and 
pamsmbd in usually /usr/local/sbin/pamsmbd

For options to configure do ./configure --help
Currently module only compilation, encrypted password, install location and
alternative database storage directory can be changed with configure options.


How do I Configure it?
=--------------------=

The pam_smb modules has four configuration steps,
	a) pam.conf and /etc/pam.d configuration + command line parameters.
	b) pam_smb.conf configuration file.
	c) pam_smb.usermap username mapping database
	d) starting pamsmbd at boot time.

a) pam.conf, /etc/pam.d and command line options
	The first thing that needs to be done is the pam module needs
to be inserted into the pam system configuration files so that it is used
for the services the administrator wishes. This procedure is slightly different under Linux and Solaris.

For Linux: the pam config files are stored in /etc/pam.d (one for each service)
my /etc/pam.d/login file is included here

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_smb_auth.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so

note the pam_pwdb auth line is removed or commented out.

For Solaris:
        You need to change the /etc/pam.conf other line to

other   auth required   /usr/lib/security/pam_smb_auth.so.1

Pam_smb has some command line parameters that can be passed within the PAM configuration files:
(Most installations can skip this step as the module will work grand without any command line arguments.)

	1. debug - This switches on syslog debugging of the module.
	2. use_first_pass - This is a standard PAM Module command line option.
	*********** N.B. Danger lurks here somewhere *****************
	3. nolocal - This allows authentication of a username/password
			pair which are not in the local password file.
		 Do not switch this on unless you know what you are at.
	**************************************************************

b) pam_smb.conf configuration file

The configuration file is stored in /etc/pam_smb.conf and it consists of multiple lines each consisting of a domain and two servers comma separated.

NB: there are no spaces in this file.
e.g.
my local copy is for two domains, STAFF and UNDERGRADUATE and their servers.

UNDERGRADUATE,UGRADPDC,UGRADBDC
STAFF,STAFFPDC,STAFFBDC

c) Username mapping
In order to get username mapping support you need a file in /etc called for
pam_smb.usermap which has lines of the style

unixuser=NTDOMAIN\ntuser

NTDOMAIN can be omitted and the first domain in the pam_smb.conf file will be used. This mapping is one-to-one and allows either the Unix or NT name to be user at login time.

d)
pamsmbd needs to be started at boot-time, this depends on your distribution, there is a script in scripts/pamsmbd that can be copied to /etc/rc.d/init.d on redhat systems and linked into the RH rc.d tree.

