W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 23 14:29:25 GMT 2001

Gerald Carter wrote:
> Jeremy Allison wrote:
> >
> > Ok - I've been playing with this a bit and I'm coming
> > to the conclusion we should compile Linux Samba with
> > pam turned *OFF* by default, and let those admins
> > who want it recompile with the --with-pam option for
> > a PDC.
> Yeah!

NOTE:  This is exactly how we ship already.  

> > Now either we *always* control the pam.d/samba file that is
> > used on install, or we skip this whole ugly mess and ship
> > with PAM *off* by default, and let those admins who want
> > it turn it on....

We do, its called RPM, and it ships with a valid, known good
configuration, or even better a reference (pam_stack) to the
configuration that the rest of the system uses.

> >
> > What concerns me is shipping an rpm on Linux that *works*, out
> > of the box for approx. 100% of our users. If adding pam by
> > default takes that figure down to 99% then it's *NOT* worth
> > the support hassles.

None of the bug reports so far have been from RPM users.  Furthermore,
when the distributions start shipping Samba 2.2, they will have proven
good configs already.  In fact the configs that they ship already should

> >
> > It has to be *bulletproof*. I'm not sure it is right now
> > due to the disparity in PAM modules/implementations on Linux
> > and Solaris boxes.
> >
> > Thoughts anyone ?
> I 100% agree.  Also, we provided no documentation
> on the change in semantics, so admins did not know
> to expect different behavior.  I like PAM in some things,
> I'm just a little reserved about it in Samba.  (I know
> I'll get flamed for that later).

I 100% disagree.  It is fundamentally broken to allow a user to access a
server's resources if the admin has specifically banned them from doing
just that.  Every other authentication service on the server obeys this
directive, just not samba.  Added to that, samba claims to have pam
support, and admins expect that to be implemented properly.  (Hence much
of my hard work over the last little while, and I have more PAM patches
waiting for submission).

What we need is documentation. (I wrote a change for one of the
manpages, but I think it got left/stuck on tridge's computer).  

We have only had 3 cases so far (that I have seen), and it only affected
domain logons - they were marked as experimental anyway, and only from
Win2k.  I think there might be some small weird interaction in the
presentation of the username to PAM in that case, but I haven't got to
the bottom of it.

Andrew Bartlett
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list