Alternate authenticator

David Champion dgc at
Mon Apr 10 00:05:06 GMT 2000

We have a local need to authenticate samba clients against an external
database.  Our application's goal is to use the passwords already in
this database to authenticate SMB connections, so that we don't create
a new password, and we don't have to dump and hash periodically.

Looking at the code, it seems that the only option samba currently
gives is to store relevant fields (including a hash) into some
directory -- NIS+, LDAP, etc., or some similar structure.  I'd prefer
not to do this, because it would mean either creating a second password
(seeded with the first), or having to create some other tool to
(periodically or on the fly) convert changed passwords in the extrnal
database into NT/LM hashes in the external database.

I would rather put code for realtime, external authentication into
samba, and add hashing code to the database to authenticate from an
incoming hash.

Here's the question: I can't tell what the best place is in the samba
code to insert calls to the external authenticator.  If the external
authentication succeeds, it should cause a bypass of the usual
directory-oriented hash lookups in passdb/*.c.  I essentially want to
pass the incoming password data, or a hash or it, to the external
database and have it return a result.

Any pointers?  Thanks.

I'm working From 2.0.6 code, but I can upgrade if that's helpful.

-D. dgc at    "The beaver's powerful jaws are capable of felling
    ENSA FORCE/		 blue spruce in less than ten minutes and proved,
      TEAM NETSEC	 needless to say, more than a match for the tender
    U of Ill, Hyde Park	 limbs of America's favorite homemaker."

More information about the samba-technical mailing list