Samba and PAM [ Re: VFS Implementation and user authenticatio n ]

Mayers, Philip J p.mayers at
Thu Sep 21 18:11:39 GMT 2000

You're talking about pluggable non-password (token) authentication modules.
Cyrus SASL is one, PAM with binary prompts (see Nico's recent posts on such,
on the -technical mailing list).

There *is* a good reason to go for this: NTLM authentication is available to
any application using the SSPI on Win32. There are other examples -
Exchange's IMAP support has an "AUTH=NTLM" option, and IIS and IE5 can do
NTLM HTTP authentication. All of these are useful to have in some way.

Taking SASL as my hypothetical example - you maintain a secret's database
(which the application itself can manage, and soon application such as LDAP
servers will be able to "publish" secret to other SASL apps on the
system...). The SASL library implements a token-exchange mechanism by
calling application callbacks. The backend plugins take care of all of the

For example, let's say Apache was patched to support SASL (providing PLAIN
and DIGEST-MD5 auth). Someone writes an NTLM authentication plugin, and this
is installed on the client and server. All of a sudden, NTLM auth magically
becomes available to any client and/or server on the system.

If you're implementing a shared secret backend, the (hypothetical) IMAP/SMTP
and TELNET servers on the machine also suddenly gain NTLM auth as well. This
is obviously very good indeed.

SASL lacks the policy support that PAM has, while PAM lacks everything other
than plaintext checking (at present). Nico want's to add a client-side
portion to the PAM library, and add binary prompt callbacks. The same end
could (I suspect) be achieved by either adding policy modules to Cyrus SASL
or re-using the PAM ones, calling PAM in the appropriate places with the
appropriate values.


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

-----Original Message-----
From: Steve Langasek [mailto:vorlon at]
Sent: 21 September 2000 16:22
To: David Lee
Cc: samba-technical at
Subject: Re: Samba and PAM [ Re: VFS Implementation and user
authentication ]

> It still seems to me that it would be useful for Samba to be able to use 
> PAM to authenticate NT clients.

How do you foresee this being useful?  There are two main benefits of
PAMifying an application, as I understand it:  the first is to be able to
reuse the authentication code across applications without modification; the
second is to be able to administratively reconfigure an application's
authentication mechanism without recompiling.  But the first is not relevant
because a PAM module designed to do NTLM challenge-response would not be
useful for any other existing Unix apps, because no other apps use Samba's
specialized protocol, and the second is not relevant because NTLM
challenge-response is the only real auth option we have in Samba.  Of
course, there may be other advantages that I'm not seeing, and if so I'd be
happy to be enlightened.

More information about the samba-ntdom mailing list