W2K Domain Login Problem with 2.2.0
Andrew Bartlett
abartlet at pcug.org.au
Sun Apr 22 09:19:43 GMT 2001
Jeremy Allison wrote:
>
> On Sun, Apr 22, 2001 at 06:59:44PM +1000, Andrew Bartlett wrote:
>
> > I thought winbind provided pam support? It makes things go it a bit of
> > a loop, but it shouldn't be fatal. Can I log into a winbind'ed machine
> > with OpenSSH? Do I use that mangled DOMAIN\username? If so it should
> > work.
>
> Yes it does. However, I'm not sure how tested it has been,
> especially with the new pam changes.
>
> > OK, I need to read up on NT Domains...
>
> That would be "a good thing" :-).
>
> > I can only see a case for not checking with the local PAM setup where
> > there is no association between the samba authentication data and what
> > getpwnam() returns. (This is what Samba-TNG is doing, if I recall). So
> > long as there is that link, and particularly when there are local
> > accounts the local sysadmin might disable an account, we MUST check with
> > PAM.
>
> That seems reasonable.
>
> BTW: I've been looking at the code in passdb/pampass.c
>
> I'm going to make some changes so that we are explicit
> about which calls are internal to our code, and which
> are real libpam.so calls. Currently you use function
> calls such as pam_auth() and pam_account(), which look
> on the surface to be real libpam calls. I'm going to
> change these and others to add prefixes to them to make it clear
> they're not provided by the pam library. It also will
> help in ensure the pam namespace isn't polluted by
> us in case other vendors providing pam start to get
> creative with "supplementary" function names.
>
> Expect changes tomorrow (I'm *too* tired right now.. :-).
>
> Jeremy.
>
Already done, I noticed the same problem. Expect a patch tommorrow -
I've got a few hours left in me :-)
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the samba-technical
mailing list