A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
authorization, and resource control services. Prior to the introduction of PAM, a decision
to use an alternative to the system password database (
would require the provision of alternatives for all programs that provide security services.
Such a choice would involve provision of alternatives to programs such as
, and so on.
PAM provides a mechanism that disconnects these security programs from the underlying
authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file,
/etc/pam.conf (Solaris), or by editing individual control files that are
On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any
authentication backend so long as the appropriate dynamically loadable library modules
are available for it. The backend may be local to the system or may be centralized on a
PAM support modules are available for:
There are several PAM modules that interact with this standard UNIX user database. The most common are called
pam_krb5.so module allows the use of any Kerberos-compliant server.
This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
Microsoft Active Directory (if enabled).
pam_ldap.so module allows the use of any LDAP v2- or v3-compatible backend
server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1,
Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory.
pam_ncp_auth.so module allows authentication off any bindery-enabled
NetWare Core Protocol-based server.
This module, called
pam_smbpass.so, allows user authentication of
the passdb backend that is configured in the Samba
pam_smb_auth.so module is the original MS Windows networking authentication
tool. This module has been somewhat outdated by the Winbind module.
pam_winbind.so module allows Samba to obtain authentication from any
MS Windows domain controller. It can just as easily be used to authenticate
users for access to any PAM-enabled application.
There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
module. In most cases, administrators need to locate the source code
for this tool and compile and install it themselves. RADIUS protocols are
used by many routers and terminal servers.
Of the modules listed, Samba provides the
pam_smbpasswd.so and the
pam_winbind.so modules alone.
Once configured, these permit a remarkable level of flexibility in the location and use
of distributed Samba domain controllers that can provide wide-area network bandwidth,
efficient authentication services for PAM-capable systems. In effect, this allows the
deployment of centrally managed and maintained distributed authentication from a
single-user account database.