TODO list proposal for volunteers

Seth Vidal skvidal at phy.duke.edu
Mon Oct 2 11:36:07 GMT 2000


> Seth.  We cannot simply pamify Samba (aside from the 
> support which already exists). How do you proposed 
> supporting an LDAP backend (which will act as a stepping 
> stone in plugging Samba into an Win20/AD domain)?

pam_ldap with a laced in samba schema.
pam talks to an ldap server and checks certain information.
it would require modifying or rewriting the pam_ldap module but its quite
do-able.

> Someone please correct me, but unless you are using a...
> now what does pam call it....something like use_mapped_pass....
> anyways, my understanding is that  PAM requires plan text 
> unless you are specifying that the plain text password be 
> used to generate an encryption key for storing authentication
> tokens on disk.  The last time i checked, the Linux-PAM
> modules did not support this anyways.
> 
> Did I miss something here?

maybe I'm lost but I was fairly sure that it made little difference what
you passed pam. while giving it a plaintext pw is ideal it is not an
option (b/c of windows's LMhash passwords) - and if memory serves lmhash's
are plaintext equivalents (in that they are replayable) then the lmhash
can be treated identically to a plaintext (excluding the fact that it is
not the ACTUAL password)


> All we are talking about is to provide an abstraction layer
> which would essentially specify a set of callbacks that 
> could be very simple wrapper functions or more complex routines
> requiring lots of stuff.  It gives us the flexibility to 
> replace the backend with either a local TDB, a remote 
> LDAP directory, etc...

I am not against this - I was just noting that I thought a lot of it could
be done via pam - and I think it can - the stacking of modules would allow
for some very clever authentication modules for supporting A LOT of
diverse users storing passwords in a variety of places.

example - if you're running with plaintext passwords enabled in windows:

auth sufficient pam_krb5
auth sufficient pam_ldap  use_first_pass
auth sufficient pam_unix nis use_first_pass

(please excuse if my syntax is off - Its early in the morning for me)

I'm not sure how one would go about doing the same in the system your
proposing but it seems like if you're wanting krb5 auth'ing it would be
handy.

Maybe I'm missing something - please tell me if I didn't get part of this
thread.

-sv








More information about the samba-technical mailing list