PAM & Samba [was Re: TODO list....]

David Collier-Brown David.Collier-Brown at
Mon Oct 2 17:05:35 GMT 2000

Michael Tokarev wrote:
> Why not to check if kernel is present this way also ?!
> Standard c library?  

	We don't have a history of missing kernels, but
	there is a history of broken glibc2's.

> Seriously, this is just a waste of efforts.  If one told
> samba thst he wants it to use pam, it should use it.

	Sorry, but that's exactly what we do with
	Linux glibc's, and we now have a new FAQ
	entry a-borning, "if you can't change your
	gid in Samba, update your Linux kernel to match
	your libraries".

	I'm proposing we test early, diagnose failure and
	use the default mechanisms instead: I assume that
	everyone checks the return code of open-like functions
	such as pam_start and deal with all the "normal" failures.
	Just as one checks the return code from open.

	If you don't, your application will work badly (;-))
	In fact, it won't work at all: it'll probably
	core-dump, which is Not A Good Thing, and will be
	regarded quite properly as a Samba problem.

> Pam failures will be admin failures, not samba ones. 

	Which is why I suggested we log it, for the
	administrator to fix.  It's an unkind act
	to just silently fail, if we know there are
	common failure modes (like "file not found" 
	for open) which require human intervention
	to correct.

	To clarify: what I recommend is that we make a redundant
	test and diagnose a predictable common fault. I'm
	of the opinion that we should then continue, but the
	team may already have a de-facto policy on that.

	In any case, pass_check.c should check for failures
	at pam_start time (and it does, using PAM_BAIL),
	log the problem (it doesn't) and return a failure.

	I'll suggest code in the next message.
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at

More information about the samba-technical mailing list