Samba as PDC with PAM?

Scott Copus Scott.Copus at wku.edu
Fri Oct 26 09:29:02 GMT 2001


Using Samba 2.2.2 on a RedHat 7.1 system.

I have read through the Samba 2.2 PDC FAQ and HOWTO,
but I'm still trying to find out if it's *possible* to use Samba
as a PDC along with PAM... while using encrypted passwords
too (being a requirement for a PDC)..........       ????

What I want to do is have several hundred Windows 98 (and
newer Windows too) be able to authenticate against a Samba
PDC.  But the Samba server must authenticate with a user
database that is on a remote Oracle SQL server.  I would like
to use PAM for this to create my own pam module to talk to
the remote SQL database.  I know of the PAM restrictions
concerning the "LANMAN" password challenge/response scheme.
HOWEVER, I am able to retrieve the the password from the
remote SQL database as _plain text_.

If I have to above scenario, shouldn't I really be able to use
PAM on a Samba PDC if there were some way to check
the encrypted password that is passed to the pam module,
and the pam module retrieve the plain-text password from
the remote SQL database and run the same encryption
scheme on the plain-text password and then finally compare
the two encrypted passwords?    If not, got any ideas?

Also, a colleague and I have tried compiling Samba 2.2.2
with both "-with-pam" and "-with-pam_smbpass" and setting
up a single Win98 client to connect to our test domain.  If you
configure Samba with PAM, does Samba have nothing to
do with the /etc/pam.d/samba file?   Because if I change
the file to "pam_deny" for everything, I can still login.  I can't
find any helpful documentation on what _exactly_ happens
when those options are compiled in.  Can someone explain?

Also, when I compile Samba 2.2.2 with "pam_smbpass", make
will create the "pam_smbpass.so" file.  However, if I delete all
instances of that file from my system, I would think that Samba
would not allow any login access, since that file no longer exists.
But that's not the case.  Does Samba fall back to using the internal
"smbpasswd" file for some reason?  Any way to turn that off?

thanx!
Scott







More information about the samba-ntdom mailing list