TODO list proposal for volunteers

Steve Langasek vorlon at netexpress.net
Mon Oct 2 14:52:59 GMT 2000


On Sun, 1 Oct 2000, Gerald Carter wrote:

> > I would disagree - I'm not sure you're getting the 
> > point of it. maybe you are and have other problems 
> > with it. but I've not heard them here so.

> > but what it sounds like to me is your are suggesting 
> > rewriting what pam does in samba - which sounds like 
> > duplicated and wasted effort.

> Seth.  We cannot simply pamify Samba (aside from the 
> support which already exists). How do you proposed 
> supporting an LDAP backend (which will act as a stepping 
> stone in plugging Samba into an Win20/AD domain)?

Is there any reason why Samba could not fully support PAM authorization and
session management functions (which typically don't handle passwords at all)?
Currently, the PAM support in Samba does call pam_acct_mgmt() to verify
authorization; does it do this only when PAM in used for authentication as
well?  Would pam_open_session() and pam_close_session() fit in Samba, given
that many authenticated Samba "sessions" last only seconds (or less)?  If
implemented, perhaps this should follow the lead of the experimental utmp
support.

> Someone please correct me, but unless you are using a...
> now what does pam call it....something like use_mapped_pass....
> anyways, my understanding is that  PAM requires plan text 
> unless you are specifying that the plain text password be 
> used to generate an encryption key for storing authentication
> tokens on disk.  The last time i checked, the Linux-PAM
> modules did not support this anyways.

> Did I miss something here?

> All we are talking about is to provide an abstraction layer
> which would essentially specify a set of callbacks that 
> could be very simple wrapper functions or more complex routines
> requiring lots of stuff.  It gives us the flexibility to 
> replace the backend with either a local TDB, a remote 
> LDAP directory, etc...

PAM's authentication API as it stands now is not a good fit for what Samba
does.  Many people seem interested in enhancing PAM to allow it to work with
Samba's encrypted password mode, but it would be premature to try
incorporating this into Samba.

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list