A patch to configure to include --with-pam on Linux systems

Andrew Tridgell tridge at linuxcare.com
Sun Nov 12 12:21:21 GMT 2000


> Here is a patch to configure to include PAM on linux systems

There are plenty of Linux systems out there that don't use PAM. 

There was a time when Samba detected whether the pam libs were
available and automatically used them. We removed that behaviour as it
burned too many people. Instead we went for a system where the
distribution makers add --with-pam into their spec files. That leaves
us with the current situation where someone compiling from source has
to remember to use --with-pam on most systems or SWAT won't work.

Instead of your patch that just forcibly enables PAM on Linux I think
we should instead write a runtime test to see whether the system has
PAM enabled for the "samba" service. If we can do PAM calls that can
tell the difference between a authentication failure and a
non-confgured PAM system then we could go back to linking in the PAM
libraries if they are detected by configure. Then if at runtime we
detect that the "samba" module in PAM is not configured we could fall
back to crypt().

Does anyone know if you can do a runtime test like this? If PAM just
falls through to /etc/pam.d/other and that module is set to just do
pam_deny (as it is on RH systems) then I think it will be tricky to do
such a runtime test.

Alternatively we can add some slightly smarter logging - looking for
the magic MD5 prefix in MD5 based crypted passwords and if the auth
fails then log a message like "perhaps you need to compile with
--with-pam". That would have been enough to get you out of this
problem I expect.

Anyway, I certainly don't want to just unconditionally use only PAM on
some specific platform. That will just break Samba for a different
group of users.

Cheers, Tridge

More information about the samba-technical mailing list