Manualshelf

HP CIFS Client A.02.02.03 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
61626364656667686970
Configuring the system to use the PAM NTLM Module
This task consists of editing the global HP-UX PAM configuration file /etc/pam.conf.
IMPORTANT: You may not be able to log into the system if PAM is not correctly configured.
Make sure that you understand the PAM framework before you modify pam.conf. For information
on PAM, see these sections of HP-UX manpages: pam.conf(4), pam_unix(5).
For security reasons, HP strongly recommends you set up your system such that, for both
authentication and password change, the host system (PAM UNIX), not the password server
configured by PAM NTLM, authenticates root and other privileged users. Access on a per-user
basis can be controlled through the use of libpam_updbe in pam.conf, and the ignore option
to libpam_ntlm in pam_user.conf. See pam.conf(4), pam_user.conf(4), and
pam_updbe(5) for explanations and examples of usage.
HP also recommends using PAM NTLM services in addition to, not in place of, PAM-UNIX. This
configuration is depicted in the sample pam.conf file below.
PAM NTLM provides the following services:
Password Authentication
Password Change
Password Change Upon Notice of Expiration
Each service corresponds to a specific section of pam.conf. Add entries for the services you wish
to use:
For Password Authentication, modify the Authentication management section of pam.conf.
For Password Change, modify Password management.
For Password Change Upon Notice of Expiration, modify Authentication management,
Password management, and Account management (in order to utilize Password Change Upon
Notice of expiration, you must also enable both Password Authentication and Password
Change).
The following are sample pam.conf files with all three PAM NTLM services configured. Each PAM
NTLM entry consistes of a line that refers to the shared library libpam_ntlm.1. In the authentication
management section, when PAM NTLM is used in conjunction with PAM UNIX, it is recommended
that the option try_first_pass be specified with the PAM-UNIX entry, as shown.
WARNING! If incorrect paths are used in pam.conf, it can become impossible to login to the
system. Ensure that you refer to the pam.conf file that matches the version of HP-UX installed on
your system (use uname -r to check the version). In particular, you should add lines to pam.conf
exactly as shown without modifying paths. Starting with versions B.11.22 of HP-UX, paths to the
PAM libraries are different than in earlier versions.
PAM NTLM Configuration 67