Win2k & Samba compatibility?

Steve Langasek vorlon at netexpress.net
Wed Feb 9 16:53:30 GMT 2000 

On Thu, 10 Feb 2000, Terry McCoy wrote:

> Adding support for kerb5 on platforms that support PAM should actually
> be just a few lines as long as the machine's PAM configuration is
> working.

Proper kerberization of a network application involves more than simply
passing a cleartext password back to a PAM module for verification against a
KDC.  Doing as you describe would allow Samba to authenticate a Kerberos
domain controller, but it would not allow Kerberos authentication between the
client and server, which is what is required for Win2K compatibility.

However, your modifications are certainly interesting:

> We are using Samba (on Solaris 2.6) as an gateway to our AFS file
> space.  By using PAM we are able to compile Samba without having to 
> link in the AFS libraries from Transarc that would be required to
> do authenticate with AFS's KDC.  Instead we just link with --with-pam
> option.

I know some of the people who were working on a similar project at Iowa State.
However, I was never privy to the details, as the comp center has Policies
regarding source code. :)

> Here are the following modifications to support Kerberos authentication.

>   Modify the function pam_auth in passdb/pass_check.c  Add these two lines

>       pam_error = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
>       PAM_BAIL;

This would, of course, not work if you were using encrypted passwords on your
network; but then, unless you're using plaintext passwords, the server has no
hope of retrieving an AFS token anyway...

>   just before the function call pam_end at the end of the pam_auth function

>   Since we are working with AFS we should also discard the AFS token when
>   the smbd closes the connection with the client.  Hence the other
>   modification is to the server_exit function add these lines just below
>   the ifdef for WITH_DFS.

>       #ifdef WITH_PAM
>                DEBUG(1, ("calling Transarc unlog...\n"));
>                system("/usr/afsws/bin/unlog");
>       #endif

A cleaner, more generic way to do this is by calling

	pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);

at this point in the code.  Alternatively, if using pam_afstok (I assume
that's the module you're using?) in session mode, the calls would become
pam_open_session and pam_close_session.. of course, this behavior is
deprecated, but it may be useful to have both calls present?

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list