This software requires cooperation between a number of
applications, all of which have to be correctly configured.

The first step is to compile smbpwman, pam_smbpw and smbautomount

smbpwman is a daemon which keeps a record of the passwords.  It is
started automaticly if it is not running when the first request is
made.

pam_smbpw is a PAM module which steals the password and registers
it with the daemon.  You will need to modify your PAM configuration
to use this module.  See the section below on PAM.

smbautomount is used by the automounter to find out if a particular
directory can be mounted.  This requires the program map type which is
part of the RedHat 7.2 package but may not be standard.

PAM
===
You need to add the following PAM module

auth       required	/lib/security/pam_smbpw.so

It does not have to be required but if you have an optional before
it then it will never get called (at least with a valid password).

It does not do any auth checking so make sure you don't remove your
pam_unix or whatever you use.

Setting up under RH72 requires changing ??? in a heavy way....

Automount
=========

Add the following entry to /etc/auto.master
/smbhome	/usr/sbin/smbautomount	--timeout 60

And restart.  simple :)

smbautomount
============
At the moment this is not configurable.  You have to compile it correct
for your environment.  This will change one day and you will have to add
an entry to /etc/smbauto.conf or something.

Users
=====
Users should be created with home directories set to /smbhome/username.
This directory should not exist.  Instead they should have a directory
on another machine which is accessable via smb.

How it works
============

I will use a terminal login for this example but it is mostly the same
for all password protected services (ftp, telnet etc).

1.  User sees "login:" prompt
2.  User types in user name
3.  User sees "password:" prompt
4.  User types in password
5.  The login program asks PAM to do the authentication (auth).
6.  PAM checks your password with your first auth module.  Assume success
7.  PAM checks your password with your next auth modules.  Again assume success
8.  PAM checks your password with pam_smbpw...
9.  smbpw connects via a unix socket to the smbpwman daemon.  Assume it is running.
10. smbpw sends the username and the password to the smbpwdaemon.
11. smbpw disconnects and returns success to PAM.
12. PAM account and sessions modules are executed.
13. At some stage, some process will attempt to access the users home directory...
14. Automount is activated to mount the directory.  (assume it is not already mounted)
15. automount executes smbautomount to get the command to use for the mount. (assume success)
16. automount executes a mount command
17. mount invokes mount.smbfs
18. mount.smbfs connects via a unix socket to the smbpwman daemon.
19. mount.smbfs asks the daemon for the password
20. mount.smbfs uses the password to establish and SMB session with the server
21. smbfs is started which makes the smb files accessable via the filesystem
22. the original filesystem request succeeds.
23. The rest of the login procedure is the same as normal and the user gets their home dir.

Some of the steps above are not 100% true, but they give a fairly detailed
idea of what is going on.

Failure is also handled rather gracefuly.
In step 6, if the password is incorrect then pam_smbpw (if activated) will not be
able to retreive it and it will have nothing to send the daemon and will just ignore it

In step 9, if the daemon is not running it will start it.  If it still can't connect
then it will give up and the password will not be registered.

In step 13, it is likely that a PAM module will stat or cd to the homedir.  This will
activate the automount.  If nothing does use the home directory then it does not matter.

In step 19, if there is no password for the user the the smb connection will fail.
This should not matter because if a user has logged in then the password will be
available.

