Win2k & Samba compatibility?
Steve Langasek
vorlon at netexpress.net
Wed Feb 9 16:53:30 GMT 2000
On Thu, 10 Feb 2000, Terry McCoy wrote:
> Adding support for kerb5 on platforms that support PAM should actually
> be just a few lines as long as the machine's PAM configuration is
> working.
Proper kerberization of a network application involves more than simply
passing a cleartext password back to a PAM module for verification against a
KDC. Doing as you describe would allow Samba to authenticate a Kerberos
domain controller, but it would not allow Kerberos authentication between the
client and server, which is what is required for Win2K compatibility.
However, your modifications are certainly interesting:
> We are using Samba (on Solaris 2.6) as an gateway to our AFS file
> space. By using PAM we are able to compile Samba without having to
> link in the AFS libraries from Transarc that would be required to
> do authenticate with AFS's KDC. Instead we just link with --with-pam
> option.
I know some of the people who were working on a similar project at Iowa State.
However, I was never privy to the details, as the comp center has Policies
regarding source code. :)
> Here are the following modifications to support Kerberos authentication.
> Modify the function pam_auth in passdb/pass_check.c Add these two lines
> pam_error = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
> PAM_BAIL;
This would, of course, not work if you were using encrypted passwords on your
network; but then, unless you're using plaintext passwords, the server has no
hope of retrieving an AFS token anyway...
> just before the function call pam_end at the end of the pam_auth function
> Since we are working with AFS we should also discard the AFS token when
> the smbd closes the connection with the client. Hence the other
> modification is to the server_exit function add these lines just below
> the ifdef for WITH_DFS.
> #ifdef WITH_PAM
> DEBUG(1, ("calling Transarc unlog...\n"));
> system("/usr/afsws/bin/unlog");
> #endif
A cleaner, more generic way to do this is by calling
pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
at this point in the code. Alternatively, if using pam_afstok (I assume
that's the module you're using?) in session mode, the calls would become
pam_open_session and pam_close_session.. of course, this behavior is
deprecated, but it may be useful to have both calls present?
Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list