W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Sun Apr 22 09:19:43 GMT 2001

Jeremy Allison wrote:
> On Sun, Apr 22, 2001 at 06:59:44PM +1000, Andrew Bartlett wrote:
> > I thought winbind provided pam support?  It makes things go it a bit of
> > a loop, but it shouldn't be fatal.  Can I log into a winbind'ed machine
> > with OpenSSH?  Do I use that mangled DOMAIN\username?  If so it should
> > work.
> Yes it does. However, I'm not sure how tested it has been,
> especially with the new pam changes.
> > OK, I need to read up on NT Domains...
> That would be "a good thing" :-).
> > I can only see a case for not checking with the local PAM setup where
> > there is no association between the samba authentication data and what
> > getpwnam() returns.  (This is what Samba-TNG is doing, if I recall).  So
> > long as there is that link, and particularly when there are local
> > accounts the local sysadmin might disable an account, we MUST check with
> > PAM.
> That seems reasonable.
> BTW: I've been looking at the code in passdb/pampass.c
> I'm going to make some changes so that we are explicit
> about which calls are internal to our code, and which
> are real libpam.so calls. Currently you use function
> calls such as pam_auth() and pam_account(), which look
> on the surface to be real libpam calls. I'm going to
> change these and others to add prefixes to them to make it clear
> they're not provided by the pam library. It also will
> help in ensure the pam namespace isn't polluted by
> us in case other vendors providing pam start to get
> creative with "supplementary" function names.
> Expect changes tomorrow (I'm *too* tired right now.. :-).
> Jeremy.

Already done, I noticed the same problem.  Expect a patch tommorrow -
I've got a few hours left in me :-)

Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list