Samba PDC as a password server

Tue May 5 09:58:16 GMT 1998

On Sat, 2 May 1998, Stephen Langasek wrote:

> On Fri, 1 May 1998, Luke Kenneth Casson Leighton wrote:
> 
> > On Thu, 30 Apr 1998, Dana Canfield wrote:
> > 
> > > scheme. The only "tidy" solution I can think of that might keep
> > > overhead low is to create some kind of "pam_smbdb".  This would work
> > > just like pam_pwdb, but would work with NT-style encryption, meaning
> > > you could yank out /etc/passwd and replace it with the contents of
> > > smbpasswd.
> 
> > oo.  that would do it.
> 
> This sounds a bit like a module I've been (sporadically) working on,
> called pam_smbpass.  This module is intended to be usable for both
> password changes and authentication against an /etc/smbpasswd-type
> local database file.  The password updates work fine, and I've been using
> it for a while now to keep passwords synched between the unix & smb
> databases, althoug I ran into a problem when I looked into stripping out
> all other authentication code from samba in favor of a pure PAM interface:
> since not even the version of the password as stored in the smbpasswd file
> is available to the server in a network transaction, the module has to be
> able to take the doubly-encrypted password and the original salt,
> re-encrypt the password from the database, and spit back a yes or no at
> the application.  It's straightforward to fix, I just haven't gotten
> around to doing it yet...
> 
> The current version is available at ftp://ftp.netexpress.net/pub/pam, for
> those who are interested.  Hopefully it'll save someone out there some
> duplication of effort. :)

yes it surely will.

stephen,  got a couple of things to say:

1) we've added some extra fields to the end of the smbpasswd file entries: 
it might be worthwhile grabbing the latest samba smbpass.c code to make
sure that it reads in according to the latest format

2) we intend to put a read-only dbm cache into smbpasswd, where updates
from mod_smbpwd_entry re-generate the dbm files from the
(just modified) private/smbpasswd file.  this will drastically improve
performance for large numbers of users.  i hope.

3) we intend to add compile-time options to read different back-end
databases (e.g ldap, bruce's home-grown database system :-).  therefore it
would be sensible for us all to use the same API.

4) can i check in the latest copy of your code into samba's cvs
repository?  would you like to maintain it from there if i get permission
for you to do so?

luke (samba team)