I maintain a FreeBSD 8.1 server that runs mpd-5.5 and Samba 3.3.13 behind
a firewall (also a FreeBSD box).
The Windows (XP, Vista, 7) users need to be able to change their passwords
regularly, with VPN passwords updated too. Samba is the Windows domain
controller, and the Windows clients all are domain members, so the Samba
password database gets updated when a user changes his/her password.
This script causes mpd5 to authenticate users using the NTLM hash in the
Samba password database:
--------------------------------------------------------------------
#!/bin/sh
# @(#)mpd_auth.sh 2012-Feb-20 KLD
# extauth-script for mpd5
# Header for the log
echo >> /var/log/mpd_auth.log
date >> /var/log/mpd_auth.log
# Should have one arg: the user ID
if [ $# -ne 1 ]; then
# Wrong number of args
echo RESULT:FAIL
else
# Look up user's password hash in Samba password database
user_id="$1"
nt_hash=`/usr/local/bin/pdbedit -wu "${user_id}" 2>/dev/null | \
/usr/bin/awk '{ FS=":"; print $4; next }'`
if [ "x${nt_hash}" = "x" ]; then
# User ID not in Samba password database
echo RESULT:FAIL
else
# Tell mpd5 the NT hash of the password
echo "USER_NT_HASH:${nt_hash}"
# Tell mpd5 to use the hash to verify the user
echo RESULT:UNDEF
fi
fi
# Give mpd5 a blank line (may not be necessary)
echo
# Show mpd5 output to this script in the log
cat - >> /var/log/mpd_auth.log
exit 0
--------------------------------------------------------------------
The pertinent lines in /usr/local/etc/mpd5/mpd.conf:
--------------------------------------------------------------------
set auth extauth-script /usr/local/etc/mpd5/mpd_auth.sh
set auth enable ext-auth
set auth disable internal
--------------------------------------------------------------------
Karl Dunn
kd...@acm.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
