A patch to configure to include --with-pam on Linux systems

Anders C. Thorsen anders at aae.wisc.edu
Sun Nov 12 06:21:55 GMT 2000


Maybe a better solution is to check wether pam is present even
when not using --enable-pam and give a message like this at the
end of configure:
"NOTE: You configured samba to not use PAM on a PAM enabled system"
"      To enable PAM, use --enable-pam when running configure"
     
And maybe a pointer or two to some pam information
     
--Anders

On Sun, Nov 12, 2000 at 11:21:21PM +1100, Andrew Tridgell wrote:
> Richard,
> 
> > Here is a patch to configure to include PAM on linux systems
> 
> There are plenty of Linux systems out there that don't use PAM. 
> 
> There was a time when Samba detected whether the pam libs were
> available and automatically used them. We removed that behaviour as it
> burned too many people. Instead we went for a system where the
> distribution makers add --with-pam into their spec files. That leaves
> us with the current situation where someone compiling from source has
> to remember to use --with-pam on most systems or SWAT won't work.
> 
> Instead of your patch that just forcibly enables PAM on Linux I think
> we should instead write a runtime test to see whether the system has
> PAM enabled for the "samba" service. If we can do PAM calls that can
> tell the difference between a authentication failure and a
> non-confgured PAM system then we could go back to linking in the PAM
> libraries if they are detected by configure. Then if at runtime we
> detect that the "samba" module in PAM is not configured we could fall
> back to crypt().
> 
> Does anyone know if you can do a runtime test like this? If PAM just
> falls through to /etc/pam.d/other and that module is set to just do
> pam_deny (as it is on RH systems) then I think it will be tricky to do
> such a runtime test.
> 
> Alternatively we can add some slightly smarter logging - looking for
> the magic MD5 prefix in MD5 based crypted passwords and if the auth
> fails then log a message like "perhaps you need to compile with
> --with-pam". That would have been enough to get you out of this
> problem I expect.
> 
> Anyway, I certainly don't want to just unconditionally use only PAM on
> some specific platform. That will just break Samba for a different
> group of users.
> 
> Cheers, Tridge




More information about the samba-technical mailing list