W2K Domain Login Problem with 2.2.0

Jeremy Allison jeremy at valinux.com
Sun Apr 22 09:14:51 GMT 2001


On Sun, Apr 22, 2001 at 06:59:44PM +1000, Andrew Bartlett wrote:

> I thought winbind provided pam support?  It makes things go it a bit of
> a loop, but it shouldn't be fatal.  Can I log into a winbind'ed machine
> with OpenSSH?  Do I use that mangled DOMAIN\username?  If so it should
> work.

Yes it does. However, I'm not sure how tested it has been,
especially with the new pam changes.

> OK, I need to read up on NT Domains...

That would be "a good thing" :-).

> I can only see a case for not checking with the local PAM setup where
> there is no association between the samba authentication data and what
> getpwnam() returns.  (This is what Samba-TNG is doing, if I recall).  So
> long as there is that link, and particularly when there are local
> accounts the local sysadmin might disable an account, we MUST check with
> PAM.

That seems reasonable.

BTW: I've been looking at the code in passdb/pampass.c

I'm going to make some changes so that we are explicit
about which calls are internal to our code, and which
are real libpam.so calls. Currently you use function
calls such as pam_auth() and pam_account(), which look
on the surface to be real libpam calls. I'm going to
change these and others to add prefixes to them to make it clear
they're not provided by the pam library. It also will
help in ensure the pam namespace isn't polluted by
us in case other vendors providing pam start to get
creative with "supplementary" function names. 

Expect changes tomorrow (I'm *too* tired right now.. :-).

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------




More information about the samba-technical mailing list