PAM & Samba [was Re: TODO list....]

David Collier-Brown David.Collier-Brown at canada.sun.com
Mon Oct 2 14:59:01 GMT 2000 

Gerald Carter wrote:
>   o by settling on PAM we have automatically kicked
>     our selves out of non-PAM platforms.  I think
>     the compile time option is a good thing. 

	Since we have had trouble with glibc2 setegid(),
	I'll suggest we be paranoid (;-))

	1) require a --with option in the next release,
	   and back that out in a subsequent release
	2) check at configure time that pam is present
	   on the machine where it's being compiled. If
	   nit, turn off the #define
	3) During initialization, call pam_start (redundantly)
	   to get a pam handle for a known valid user,
	   and release it with pam_end if it succeeds.
	   If it does not return PAM_SUCCESS, be very 
	   cautious about using it...

	If it returns 
	PAM_SUCCESS -- try running pam, but be prepared to
		deal with failures.
	PAM_OPEN_ERR -- the machine running Samba lacks the 
		pam library, so use the normal code instead.
	PAM_SYMBOL_ERR 
	PAM_SERVICE_ERR
	PAM_BUF_ERR
	PAM_CONV_ERR
	PAM_PERM_DENIED
		-- some error occurred in the setup, implying
		a programmer error in the call to pam: this
		**probbaly** means an unsuccessful port to
		the platform where samba's running. Report
		voluminously for the developers and use the 
		normal code instead.

>   o I need to see the exact structure and function
>     declarations that would allow us to get this authorization
>     data back for session management.  My current view of PAM
>     is that it is linked very close to the standard /etc/passwd
>     fields.

	It's biased (;-))   However, the API tends to hide
	much of this, making the operations, not the data,
	visible. [I'm reading the Slolaris man pages as I say 
	this: other vendors **should** have implemented them 
	unchanged]

> The problem with moving from one authentication
> scheme to another (for example, Kerberos and NIS...
> now there's a combination for you :) ) is the incompatible
> encryption algorithms.  The only common point they have
> is plain text.  However, the need to support ntlm
> is so overwhelming, that unless someone can show me
> an actual way to support all of the authentication
> and authorization information I need, PAM will have to remain
> either a compile time option or a plugable backend.

	I think you're right: the next point at which we
	get full interoperability is Kerberos.  However,
	a mixed implementation **may** be possible...
 
--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com

More information about the samba-technical mailing list