Win2k & Samba compatibility?
Terry McCoy
terry at nd.edu
Wed Feb 9 15:15:28 GMT 2000
On Mon, 7 Feb 2000 jeremy at valinux.com wrote:
>
> Well, I intend to add kerb5 support as soon as we get significant
> user demand for it. I'm trying not to get onto the Microsoft
> treadmill of adding new stuff to keep up with Windows - that
> way lies an endless sprint to keep up :-).
>
> I expect to get demand for kerb5 as it's such an improved
> authentication method - but not for a few months yet.
> This should give us time to add *our* improved stuff - like
> NT printer driver downloads, Tim's VFS, Luke's advanced domain
> stuff - into the "stable" source \branch.
>
> Cheers,
>
> Jeremy.
>
Adding support for kerb5 on platforms that support PAM should actually
be just a few lines as long as the machine's PAM configuration is
working.
We are using Samba (on Solaris 2.6) as an gateway to our AFS file
space. By using PAM we are able to compile Samba without having to
link in the AFS libraries from Transarc that would be required to
do authenticate with AFS's KDC. Instead we just link with --with-pam
option.
Here are the following modifications to support Kerberos authentication.
Modify the function pam_auth in passdb/pass_check.c Add these two lines
pam_error = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
PAM_BAIL;
just before the function call pam_end at the end of the pam_auth function
Since we are working with AFS we should also discard the AFS token when
the smbd closes the connection with the client. Hence the other
modification is to the server_exit function add these lines just below
the ifdef for WITH_DFS.
#ifdef WITH_PAM
DEBUG(1, ("calling Transarc unlog...\n"));
system("/usr/afsws/bin/unlog");
#endif
--
Terry McCoy email: terry at nd.edu
Sr Systems Engineer phone: (219) 631-4274
Enterprise Systems Software
Office of Information Technologies
University of Notre Dame
More information about the samba-technical
mailing list