Samba PDC as a password server
Luke Kenneth Casson Leighton
lkcl at regent.push.net
Tue May 5 09:58:16 GMT 1998
On Sat, 2 May 1998, Stephen Langasek wrote:
> On Fri, 1 May 1998, Luke Kenneth Casson Leighton wrote:
> > On Thu, 30 Apr 1998, Dana Canfield wrote:
> > > scheme. The only "tidy" solution I can think of that might keep
> > > overhead low is to create some kind of "pam_smbdb". This would work
> > > just like pam_pwdb, but would work with NT-style encryption, meaning
> > > you could yank out /etc/passwd and replace it with the contents of
> > > smbpasswd.
> > oo. that would do it.
> This sounds a bit like a module I've been (sporadically) working on,
> called pam_smbpass. This module is intended to be usable for both
> password changes and authentication against an /etc/smbpasswd-type
> local database file. The password updates work fine, and I've been using
> it for a while now to keep passwords synched between the unix & smb
> databases, althoug I ran into a problem when I looked into stripping out
> all other authentication code from samba in favor of a pure PAM interface:
> since not even the version of the password as stored in the smbpasswd file
> is available to the server in a network transaction, the module has to be
> able to take the doubly-encrypted password and the original salt,
> re-encrypt the password from the database, and spit back a yes or no at
> the application. It's straightforward to fix, I just haven't gotten
> around to doing it yet...
> The current version is available at ftp://ftp.netexpress.net/pub/pam, for
> those who are interested. Hopefully it'll save someone out there some
> duplication of effort. :)
yes it surely will.
stephen, got a couple of things to say:
1) we've added some extra fields to the end of the smbpasswd file entries:
it might be worthwhile grabbing the latest samba smbpass.c code to make
sure that it reads in according to the latest format
2) we intend to put a read-only dbm cache into smbpasswd, where updates
from mod_smbpwd_entry re-generate the dbm files from the
(just modified) private/smbpasswd file. this will drastically improve
performance for large numbers of users. i hope.
3) we intend to add compile-time options to read different back-end
databases (e.g ldap, bruce's home-grown database system :-). therefore it
would be sensible for us all to use the same API.
4) can i check in the latest copy of your code into samba's cvs
repository? would you like to maintain it from there if i get permission
for you to do so?
luke (samba team)
More information about the samba-technical