W2K Domain Login Problem with 2.2.0

Gerald Carter gcarter at valinux.com
Mon Apr 23 14:38:37 GMT 2001

Andrew Bartlett wrote:
> That's it as it stands anyway, but admins LIKE pam, 
> because all applications use the same criteria deciding 
> on a users validity - without PAM, my uni's IT department 
> couldn't allow logins into its SSH server - because 
> ssh.com doesn't support PAM.  OpenSSH however supported
> pam and allows users to authenticate against LDAP.  
> PAM is worth the effort - it really is.

Some admins like PAM.  Some just like it some of the time.

> OK, so we have found our problem.  Its misconfigred 
> systems - users who are not using our supplied PAM config.

I'm no RPM expert, but isn't this our fault?

%attr(-,root,root) %config(noreplace) /etc/pam.d/samba

> We already ship without pam enabled, and 'those admins' 
> are turning it on. 

Andrew, this sounds like a subjective statement.  My 
experience has been the opposite actually.  Do we 
have numbers one way or the other?  Just curious.

> We have not had any reports from users of the Linux 
> RPMS.  

Not true.  The Win2k domain logons were broken in 
our RPMs.

> Turning PAM OFF is a admin nightmare, as that will 
> also turn off plain-text passwords on those systems 

Guys, we are talking about Linux here.  Not all the servers 
in the world.  Maybe Solaris, but we have all sorts of
other servers out there as well.

> Do note, there is another thread going on at the moment - 
> and somebody mentioned that Samba's lake of proper PAM 
> support as a reason people aren't using Samba.

That is this same thread IMO (just another name)  (hey John :) )

> Yes, we need to do it properly, but not supporting PAM 
> in NOT an option.

We have conflicting design goals at the moment.  The PAM
support was thrown in at the last minute and caused
some things to break.  It was not properly documented
and has come back to bite us.  

There, I said it.  I was a bad call on our part to do this
as a last minute change.  Period.

Now that I have that off my chest, I will say that 
surprisingly enough, I agree with Andrew.  Samba should 
be able to integrate with PAM.  However, and this is a big 
thing, we need to pay attention to all the corners cases as

Jeremy is right.  We have to many people depending 
on us to not get this right.  It has to be 100%. 

Here some possible scenarios...

 o Standalone samba server - PAM works fine

 o Samba as a member server - domain security.  We need
   to work this one out.  Remote users, local users, etc...

 o Samba as a PDC - All local users

How does a full blown SAM-like account storage system 
fit in here?  A simple thing like disabling an account
in User Manager for Domains...which should take precedence?
Samba's passdb or PAM?  Can we assume we know which one the
UNIX admin wants?  What if it is an NT shop with a Samba

btw....passwd chat cannot go away completely because 
not all systems can use PAM.   Although on those that do,
PAM should be used I agree completely.

There are many more questions that one would initially 
assume for this problem to be adressed in one weekend.
Perhaps we should just setup a conf call and hash it out.
Then post an RFC on samba-technical.

Non of us are working in isolation and yet the PAM 
support was kind of thrown in there without really 
talking it out with everyone (at least I was out of 
the loop).

So i'll probably get flamed for some of this, but hey :)
It's Monday morning here and I have plenty of coffee
(not that coffee really relates to this story, but it
is always "a good thing" TM) :-)

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list