PAM & Samba [was Re: TODO list....]

Anders Thorsen anders at cwd.no
Tue Oct 3 04:07:30 GMT 2000


Typically most programs fail silently with pam,
which happened when I upgraded a Debian installation. Result: Could not 
log in. No error messages could be found,
and I had no clue where the problem was.

 (For the record: the solution was to manually deinstall pam files, and 
edit the dpkg database then reinstall pam)

So if samba gave an errormessage, it would be alot easier to pinpoint the 
problem to pam.

BTW: Checking for a motherboard and CPU is the kernel's job :)

--Anders





David Collier-Brown <David.Collier-Brown at canada.sun.com>
Sent by: samba-technical-admin at us4.samba.org
10/02/2000 11:05 AM

 
        To:     Michael Tokarev <mjt at tls.msk.ru>
        cc:     samba-technical at samba.org
        Subject:        Re: PAM & Samba [was Re: TODO list....]

Michael Tokarev wrote:
> Why not to check if kernel is present this way also ?!
> Standard c library? 

                 We don't have a history of missing kernels, but
                 there is a history of broken glibc2's.

> Seriously, this is just a waste of efforts.  If one told
> samba thst he wants it to use pam, it should use it.

                 Sorry, but that's exactly what we do with
                 Linux glibc's, and we now have a new FAQ
                 entry a-borning, "if you can't change your
                 gid in Samba, update your Linux kernel to match
                 your libraries".

                 I'm proposing we test early, diagnose failure and
                 use the default mechanisms instead: I assume that
                 everyone checks the return code of open-like functions
                 such as pam_start and deal with all the "normal" 
failures.
                 Just as one checks the return code from open.

                 If you don't, your application will work badly (;-))
                 In fact, it won't work at all: it'll probably
                 core-dump, which is Not A Good Thing, and will be
                 regarded quite properly as a Samba problem.

> Pam failures will be admin failures, not samba ones. 

                 Which is why I suggested we log it, for the
                 administrator to fix.  It's an unkind act
                 to just silently fail, if we know there are
                 common failure modes (like "file not found" 
                 for open) which require human intervention
                 to correct.

                 To clarify: what I recommend is that we make a redundant
                 test and diagnose a predictable common fault. I'm
                 of the opinion that we should then continue, but the
                 team may already have a de-facto policy on that.

                 In any case, pass_check.c should check for failures
                 at pam_start time (and it does, using PAM_BAIL),
                 log the problem (it doesn't) and return a failure.

                 I'll suggest code in the next message.
 
--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com


-------------- next part --------------
HTML attachment scrubbed and removed


More information about the samba-technical mailing list