W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Mon Apr 23 14:31:25 GMT 2001

On Mon, 23 Apr 2001, Gerald Carter wrote:

> > Now either we *always* control the pam.d/samba file that is
> > used on install, or we skip this whole ugly mess and ship
> > with PAM *off* by default, and let those admins who want
> > it turn it on....

> > What concerns me is shipping an rpm on Linux that *works*, out
> > of the box for approx. 100% of our users. If adding pam by
> > default takes that figure down to 99% then it's *NOT* worth
> > the support hassles.

> > It has to be *bulletproof*. I'm not sure it is right now
> > due to the disparity in PAM modules/implementations on Linux
> > and Solaris boxes.

> > Thoughts anyone ?

> I 100% agree.  Also, we provided no documentation
> on the change in semantics, so admins did not know
> to expect different behavior.  I like PAM in some things,
> I'm just a little reserved about it in Samba.  (I know
> I'll get flamed for that later).

I'm enthusiastic about PAM in Samba, but I think these changes went in a
little too close to release time without the level of testing they should've
received.  I did identify one bug in the handling of pam_setcred(), but it
appears there may be other serious bugs that need to be caught before
recommending the use of PAM here.

Jeremy, I'm curious to know if the problems you found when using pam_unix on
RedHat 6.2 affect CVS as well as the 2.2.0 release.  I'm not able to reproduce
the error on my Linux PDC, using Linux-PAM 0.72 and a Samba CVS build from the
day after release.  I don't recall what version of Linux-PAM RedHat 6.2
shipped with, but I thought it was 0.72; that suggests this PAM bug may
already be fixed in CVS.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list