PAM and NT'ed Linux ..

Andrew Morgan morgan at
Thu Apr 30 18:23:32 GMT 1998

Luke Kenneth Casson Leighton writes:
> based on pam_unix, it would be identical to the login / logout system, but
> would potentially _change_ the username that the user actually logged in
> as.
> e.g from \\DOMAIN\lkcl to lkcl_dom (or just to guest or nobody)
> e.g from Administrator to root
> such that you do
> Linux 2.0.30
> regent login: Administrator
> Password: .....
> Last Login: some_time_ago
> bash% whoami
> root
> bash%

This is not hard.  In fact, I think it is one of the things pam is
designed to make easy.

The pam notion of who is being authenticated is contained in the
PAM_USER item.  How this item is filled is something a module has a
lot of control over.  The default is for the application to supply
this value when you call pam_start, or for a module to make use of the
PAM_PROMPT item and call pam_get_user().  Alternatively, if your
module wants to explicitly prompt for:

	login: me
	domain [default=here]: there
	password: XXXX

and then translate the me/there combination into a local (UNIX)
username with the appropriate credentials, it can.  All it does is
pam_set_item(..PAM_USER...) with the appropriate UNIX username.  It
can then verify that XXX is the right password for the user and return
success or failure as appropriate.

With "correctly" PAMified applications, this will likely "just work".
You may have problems with things like ftpd and popd whose protocols
are so restrictive that they don't support arbitrary user prompting...



More information about the samba-ntdom mailing list