PAM & Samba [was Re: TODO list....]
David Collier-Brown
David.Collier-Brown at canada.sun.com
Mon Oct 2 14:59:01 GMT 2000
Gerald Carter wrote:
> o by settling on PAM we have automatically kicked
> our selves out of non-PAM platforms. I think
> the compile time option is a good thing.
Since we have had trouble with glibc2 setegid(),
I'll suggest we be paranoid (;-))
1) require a --with option in the next release,
and back that out in a subsequent release
2) check at configure time that pam is present
on the machine where it's being compiled. If
nit, turn off the #define
3) During initialization, call pam_start (redundantly)
to get a pam handle for a known valid user,
and release it with pam_end if it succeeds.
If it does not return PAM_SUCCESS, be very
cautious about using it...
If it returns
PAM_SUCCESS -- try running pam, but be prepared to
deal with failures.
PAM_OPEN_ERR -- the machine running Samba lacks the
pam library, so use the normal code instead.
PAM_SYMBOL_ERR
PAM_SERVICE_ERR
PAM_BUF_ERR
PAM_CONV_ERR
PAM_PERM_DENIED
-- some error occurred in the setup, implying
a programmer error in the call to pam: this
**probbaly** means an unsuccessful port to
the platform where samba's running. Report
voluminously for the developers and use the
normal code instead.
> o I need to see the exact structure and function
> declarations that would allow us to get this authorization
> data back for session management. My current view of PAM
> is that it is linked very close to the standard /etc/passwd
> fields.
It's biased (;-)) However, the API tends to hide
much of this, making the operations, not the data,
visible. [I'm reading the Slolaris man pages as I say
this: other vendors **should** have implemented them
unchanged]
> The problem with moving from one authentication
> scheme to another (for example, Kerberos and NIS...
> now there's a combination for you :) ) is the incompatible
> encryption algorithms. The only common point they have
> is plain text. However, the need to support ntlm
> is so overwhelming, that unless someone can show me
> an actual way to support all of the authentication
> and authorization information I need, PAM will have to remain
> either a compile time option or a plugable backend.
I think you're right: the next point at which we
get full interoperability is Kerberos. However,
a mixed implementation **may** be possible...
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba-technical
mailing list