Samba & Unix users sync

Steve Langasek vorlon at netexpress.net
Wed Jul 19 22:54:46 GMT 2000 

On Wed, 19 Jul 2000, Christopher R. Hertel wrote:

> > Ummmm.... PAM is an open standard defined by an rfc? A pam module should
> > be able to be compiled and installed on any PAM based system?

> I think (but I'm not sure) that the available PAM libraries are BSD
> licensed.  Samba (and, therefore, code derived from Samba) is GPL
> licensed.  

This would be rather ironic, as Linux-PAM currently depends heavily on GNU
make and gcc.

No, Linux-PAM is available under either the GPL or the BSD-style license.  If
Solaris makes the source to their PAM implementation available, I'm not aware
of it.

> Writing a PAM module under the GPL and running it from a BSD
> licenced PAM system means that the user is breaking the terms of the GPL. 

Not at all.  The BSD license allows you to do anything you want to with the
code (including re-releasing it under the GPL), and the GPL only comes into
play when you intend to redistribute -- it places no limitations on what you
can do with the software on your own machine.  A /user/ can never violate the
GPL, because the GPL is not a license for use of the product.

Incidentally, to pick up a comment from the beginning of this thread:

> I believe that the problem is in the password hashes.  The smbpasswd file
> contains the Microsoft hash of the password, as opposed to the Unix
> hash.  Since it should be impossible to generate the original password
> from the hash, both sets of data are required if you still have Windows
> servers on your network.

> There are some things in the works that will allow you to use the Windows
> password for Unix login, if your Unix systems support nsswitch.

nsswitch is never sufficient for this.  nsswitch allows you to specify the
source for various system config files, including your password file, but the
data returned by getpwnam() is still expected to be valid Unix data -- which
means that a password field retrieved from an NT server via winbind will still
be treated as a crypt()ed password.  For support of different *authentication*
methods (as opposed to crypt(passwd, salt)), you'll still need PAM.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list