W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Mon Apr 23 00:26:33 GMT 2001


On Sun, 22 Apr 2001, Jeremy Allison wrote:

> On Sun, Apr 22, 2001 at 10:58:05AM +1000, Andrew Bartlett wrote:

> > Samba now checks with pam's account management facility as to the
> > validity of usernames, even if it is using encrypted passwords.  This
> > was added just before release.

> Yeah - I'm looking at this now. I'm not sure this is the
> correct thing to do. What if the system is using winbindd ?
> What will be the interaction with pam and winbindd usernames
> (which are of the form DOMAIN\user) ?

> I'm inclined to remove this unless I can prove it won't
> break winbindd systems.

Ah... It will always be possible to configure PAM in such a way that something
will break.  If you have a system that's authenticating non-local users, and
you're using 'account required pam_unix.so' in the PAM config, the fix is
simple -- don't use pam_unix.so.  Use pam_permit.so instead.

If there are account management checks that it's reasonable for pam_winbind to
provide (such as returning any 'account expired' codes from the server), the
module should be fixed to do so.  If not, the pam_acct_mgmt call in
pam_winbind should be reduced to a no-op for compatibility.

Do the usernames from winbindd map to local usernames on the unix system?  If
so, something should provide this mapping function for PAM.  If not, Samba's
PAM config shouldn't be invoking PAM modules that aren't meaningful for
non-local users.

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list