Win2k & Samba compatibility?

Wed Feb 9 15:15:28 GMT 2000

On Mon, 7 Feb 2000 jeremy at valinux.com wrote:
> 
> Well, I intend to add kerb5 support as soon as we get significant
> user demand for it. I'm trying not to get onto the Microsoft
> treadmill of adding new stuff to keep up with Windows - that
> way lies an endless sprint to keep up :-).
> 
> I expect to get demand for kerb5 as it's such an improved
> authentication method - but not for a few months yet. 
> This should give us time to add *our* improved stuff - like 
> NT printer driver downloads, Tim's VFS, Luke's advanced domain
> stuff -  into the "stable" source \branch.
> 
> Cheers,
> 
> 	Jeremy.
> 

Adding support for kerb5 on platforms that support PAM should actually
be just a few lines as long as the machine's PAM configuration is
working.

We are using Samba (on Solaris 2.6) as an gateway to our AFS file
space.  By using PAM we are able to compile Samba without having to 
link in the AFS libraries from Transarc that would be required to
do authenticate with AFS's KDC.  Instead we just link with --with-pam
option.

Here are the following modifications to support Kerberos authentication.

  Modify the function pam_auth in passdb/pass_check.c  Add these two lines

      pam_error = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
      PAM_BAIL;

  just before the function call pam_end at the end of the pam_auth function

  Since we are working with AFS we should also discard the AFS token when
  the smbd closes the connection with the client.  Hence the other
  modification is to the server_exit function add these lines just below
  the ifdef for WITH_DFS.

      #ifdef WITH_PAM
               DEBUG(1, ("calling Transarc unlog...\n"));
               system("/usr/afsws/bin/unlog");
      #endif

--
Terry McCoy                             email:  terry at nd.edu
Sr Systems Engineer                     phone:  (219) 631-4274
Enterprise Systems Software
Office of Information Technologies
University of Notre Dame