PAM & Samba [was Re: TODO list....]
Anders Thorsen
anders at cwd.no
Tue Oct 3 04:07:30 GMT 2000
Typically most programs fail silently with pam,
which happened when I upgraded a Debian installation. Result: Could not
log in. No error messages could be found,
and I had no clue where the problem was.
(For the record: the solution was to manually deinstall pam files, and
edit the dpkg database then reinstall pam)
So if samba gave an errormessage, it would be alot easier to pinpoint the
problem to pam.
BTW: Checking for a motherboard and CPU is the kernel's job :)
--Anders
David Collier-Brown <David.Collier-Brown at canada.sun.com>
Sent by: samba-technical-admin at us4.samba.org
10/02/2000 11:05 AM
To: Michael Tokarev <mjt at tls.msk.ru>
cc: samba-technical at samba.org
Subject: Re: PAM & Samba [was Re: TODO list....]
Michael Tokarev wrote:
> Why not to check if kernel is present this way also ?!
> Standard c library?
We don't have a history of missing kernels, but
there is a history of broken glibc2's.
> Seriously, this is just a waste of efforts. If one told
> samba thst he wants it to use pam, it should use it.
Sorry, but that's exactly what we do with
Linux glibc's, and we now have a new FAQ
entry a-borning, "if you can't change your
gid in Samba, update your Linux kernel to match
your libraries".
I'm proposing we test early, diagnose failure and
use the default mechanisms instead: I assume that
everyone checks the return code of open-like functions
such as pam_start and deal with all the "normal"
failures.
Just as one checks the return code from open.
If you don't, your application will work badly (;-))
In fact, it won't work at all: it'll probably
core-dump, which is Not A Good Thing, and will be
regarded quite properly as a Samba problem.
> Pam failures will be admin failures, not samba ones.
Which is why I suggested we log it, for the
administrator to fix. It's an unkind act
to just silently fail, if we know there are
common failure modes (like "file not found"
for open) which require human intervention
to correct.
To clarify: what I recommend is that we make a redundant
test and diagnose a predictable common fault. I'm
of the opinion that we should then continue, but the
team may already have a de-facto policy on that.
In any case, pass_check.c should check for failures
at pam_start time (and it does, using PAM_BAIL),
log the problem (it doesn't) and return a failure.
I'll suggest code in the next message.
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba-technical
mailing list