VFS Implementation and user authentication

Steve Langasek vorlon at netexpress.net
Fri Sep 8 18:45:54 GMT 2000


On Fri, 8 Sep 2000, Jeremy Allison wrote:

> > Just a quick reminder for anyone who might be contemplating this.

> > So far as is reasonably possible, remember to try to keep such work
> > compatible with, and able to use, PAM (Pluggable Authentication Modules)
> > for those systems that have it (e.g. Linux, Solaris, ...).

> > (And I have a sneaky, gut feeling that the PAM/Samba interface is an area
> > that we may wish to use at our own site in a few months' time...  it would
> > be nice if someone (else!) had already made it fully functional by then.)

> The only problem with the pam interfaces is that they
> need plaintext (as far as I know). Whereas Samba usually
> uses the lanman challenge/response binary blobs, which
> don't fit too well into PAM.

> And when we move to a direct kerb5 implementation I'm
> not sure how we'll integrate.

I remember looking a while back at the possibility of moving NTLM
authentication into a PAM module for Samba, and I concluded that it wasn't
really worth trying to do just for the sake of pamification.  The problem,
IIRC, wasn't so much a need for PAM to be given the plaintext password as it
was the fact that there's simply nothing "pluggable" about this arrangement,
at least with the existing PAM API.  A PAM module could be written that uses
lanman challenge/response for authentication... but the module would be
specific to Samba, and no other modules could be stacked with it meaningfully
because they would have no opportunity to interact with the user.

There has been talk recently on the PAM list about getting PAM to cooperate
with GSSAPI/SPNEGO/SSPI.  It would be great if that happened, but I have my
doubts about how well it could be made to work.  In any case, until it /is/
done, PAM is not the right API to use when negotiating client-server
authentication for protocols such as SMB.

OTOH, PAM is not solely an authentication API; there is also an authorization
component, invoked with the pam_acct_mgmt() function call, and I believe this
could be integrated nicely into Samba.

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list