W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Mon Apr 23 15:07:16 GMT 2001 

Gerald Carter wrote:
> 
> Andrew Bartlett wrote:
> >
> > That's it as it stands anyway, but admins LIKE pam,
> > because all applications use the same criteria deciding
> > on a users validity - without PAM, my uni's IT department
> > couldn't allow logins into its SSH server - because
> > ssh.com doesn't support PAM.  OpenSSH however supported
> > pam and allows users to authenticate against LDAP.
> > PAM is worth the effort - it really is.
> 
> Some admins like PAM.  Some just like it some of the time.
> :-)
> 
> >
> > OK, so we have found our problem.  Its misconfigred
> > systems - users who are not using our supplied PAM config.
> 
> I'm no RPM expert, but isn't this our fault?
> 
> %attr(-,root,root) %config(noreplace) /etc/pam.d/samba

Nope, becouse the install script stomped all over /etc/pam.d/samba
anyway.  That makes the spec file broken, but not broken in this
respect.

> 
> > We already ship without pam enabled, and 'those admins'
> > are turning it on.
> 
> Andrew, this sounds like a subjective statement.  My
> experience has been the opposite actually.  Do we
> have numbers one way or the other?  Just curious.

Most admins proxied by most linux distributions - who will probalby
enable pam whatever happens.  (Look at what RedHat did with --with--ssl)

> 
> > We have not had any reports from users of the Linux
> > RPMS.
> 
> Not true.  The Win2k domain logons were broken in
> our RPMs.
> 
> > Turning PAM OFF is a admin nightmare, as that will
> > also turn off plain-text passwords on those systems
> 
> Guys, we are talking about Linux here.  Not all the servers
> in the world.  Maybe Solaris, but we have all sorts of
> other servers out there as well.
> 

--snip--

> > Yes, we need to do it properly, but not supporting PAM
> > in NOT an option.
> 
> We have conflicting design goals at the moment.  The PAM
> support was thrown in at the last minute and caused
> some things to break.  It was not properly documented
> and has come back to bite us.
> 
> There, I said it.  I was a bad call on our part to do this
> as a last minute change.  Period.
> 
> Now that I have that off my chest, I will say that
> surprisingly enough, I agree with Andrew.  Samba should
> be able to integrate with PAM.  However, and this is a big
> thing, we need to pay attention to all the corners cases as
> well.
> 
> Jeremy is right.  We have to many people depending
> on us to not get this right.  It has to be 100%.
> 
> Here some possible scenarios...
> 
>  o Standalone samba server - PAM works fine
> 
>  o Samba as a member server - domain security.  We need
>    to work this one out.  Remote users, local users, etc...

Winbind is the pam module in this case, and winbind is currently the
same as pam_permit :-)

> 
>  o Samba as a PDC - All local users
> 
> How does a full blown SAM-like account storage system
> fit in here?  A simple thing like disabling an account
> in User Manager for Domains...which should take precedence?
> Samba's passdb or PAM?  Can we assume we know which one the
> UNIX admin wants?  What if it is an NT shop with a Samba
> appliance?

We should AND the requirements, ie check with both.  If its an NT shop
we just make PAM pam_permit and let it go.

> 
> btw....passwd chat cannot go away completely because
> not all systems can use PAM.   Although on those that do,
> PAM should be used I agree completely.

Good, a patch will be delivered shortly.  (There is one on samba-patches
already, actualy - but I'll upload a later version).

> 
> There are many more questions that one would initially
> assume for this problem to be adressed in one weekend.
> Perhaps we should just setup a conf call and hash it out.
> Then post an RFC on samba-technical.
> 
> Non of us are working in isolation and yet the PAM
> support was kind of thrown in there without really
> talking it out with everyone (at least I was out of
> the loop).
> 
> So i'll probably get flamed for some of this, but hey :)
> It's Monday morning here and I have plenty of coffee
> (not that coffee really relates to this story, but it
> is always "a good thing" TM) :-)
> 

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list