PAM-NTDOM: Compile Errors

Paul J Collins pjdc at
Sat Jul 8 23:39:52 GMT 2000

>>>>> "Gerald" == Gerald Carter <gcarter at> writes:

    Gerald> Paul J Collins wrote:
    >> You're not turning your machine into a server.  
    >> All NT boxes (Workstations and Servers) run NETLOGON.EXE 
    >> as a service that WINLOGON.EXE (in conjunction 
    >> with MSGINA.DLL) communicates with when you log on to 
    >> a domain.

    Gerald> MSGINA is for graphical logons and has no relevance 
    Gerald> here.  And as for comparing to the NetLogon service

In this scenario, login is similar to WINLOGON.EXE, the PAM modules
are similar to MSGINA.DLL and the two TNG daemons lsarpcd and
netlogond are similar to LSASS.EXE and NETLOGON.EXE.

WINLOGON.EXE is the part that manages starting the user session;
Yes, MSGINA.DLL handles the dialog, but it does the talking to the
security sub-system also.  Saying that MSGINA.DLL applies only to
graphical logins is incorrect.

    Gerald> on an NT box, my UNIX box was not an NT box and I 
    Gerald> don't want it to be.  

Fine, but the architecture of NT's security systems in not
automatically bad and invalid, just because it happens to belong to

    Gerald> Luke and I have gone wrong the discussion before.
    Gerald> UNIX is not NT period.

NT and Unix have many features in common; too many to list here.  They
also have plenty of differences.  Not everything in Unix is good, and
not everything in NT is bad.  Very general, I know, but so was your

    >> Complaining about having to run netlogond to log on to 
    >> an NT domain is like complaining about having to run 
    >> ypbind to log on to an NIS domain.

    Gerald> I'm sorry Paul.  I understand your argument, but 
    Gerald> I disagree, and I seriously doubt you will change 
    Gerald> my mind.  No offense mind you.

I am not attempting to do so; the only person who can change your mind
is you.  All that other people can do is provide information.

    Gerald> If you didn't need netlogond and lsarpcd before, 
    Gerald> someone give me a **technical** reason why you 
    Gerald> need them now.

I'm sure Luke could do that; I know very little about pam_ntdom.

    >> In addition, netlogond is around 119K in size on my 
    >> box.  Do you really want a pam module of that size 
    >> being loaded for every login?

    Gerald> The fact is that you have no changed the way 
    Gerald> administrators are used to dealing with pam modules.

Looks like administrators will have to learn something new, something
they do every day of their lives.

    Gerald> If pam_ntdom was an isolated piece of software in a 
    Gerald> vacuum with no history of how it should configured, 

When you say "isolated piece of software in a vacuum", do you mean
with repsect to previous versions of pam_ntdom, or PAM modules in

PAM is a tool; in this case it's being used to hook up a stub that
talks to a couple of daemons implementing NT-style domain security.
People do new things with old tools all the time.

    Gerald> then I could care less what dependencies you throw 
    Gerald> on it.  If you can name one other widely used PAM 
    Gerald> module that requires this type of setup, I will be 
    Gerald> change my mind.

Indirectly, via whichever pam module checks the password; if you use
nis via nss, then ypbind has to be running for the NIS domain to be
contacted.  I don't believe that an administrator used to running NIS
would be overly concerned that connecting to an NT domain requires a
daemon or two.

    Gerald> And speaking of the size, this argument should be 
    Gerald> irrelevant considering modern VMM systems.

My point regarding size was that I was under the impression that
things such as PAM modules should be kept as small as possible in
order to facilitate security auditing.  I know that the 119K chunk of
code is still involved, but at least now it is in a separate process
and connected to PAM only by an RPC pipe that uses reasonably
well-defined message formats.


Paul Collins <pjdc at> - - - - - - - [ A&P,a&f ]
 GPG: 0A49 49A9 2932 0EE5 89B2  9EE0 3B65 7154 8131 1BCD
 PGP: 88BA 2393 8E3C CECF E43A  44B4 0766 DD71 04E5 962C
"Where?  Where is the town?  Now it's nothing but flowers!"

More information about the samba-ntdom mailing list