W2K Domain Login Problem with 2.2.0

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Mon Apr 23 18:52:14 GMT 2001


Jeremy,
I absolutely agree; compile with-pam, but ship with smb.conf pam option to
no.
We have seen a number of requests from HP customers to have pam capability
shipped with 
samba, but we have not done so because there was no smb.conf option to
control this feature.  I'm very excited to see this in the works!
Thanks,
don

-----Original Message-----
From: Jeremy Allison [mailto:jeremy at valinux.com]
Sent: Monday, April 23, 2001 11:28 AM
To: Andrew Bartlett
Cc: Simo Sorce; samba-technical at samba.org
Subject: Re: W2K Domain Login Problem with 2.2.0


On Mon, Apr 23, 2001 at 06:10:48PM +1000, Andrew Bartlett wrote:
>
> Its called pam_permit, and its already a config option.  Simply set the
> lines in your /etc/pam.d/samba or /etc/pam.conf to use pam_permit.so as
> the module, and pam is instantly disabled.  (Don't do this for
> authentications though - as this will open your server wide open).
> 
> It should be safe for the rest, as that basicly what we do when we don't
> compile with pam, account and sesion checks just dissapear.

No, this is not acceptible, as it is not an option under
Samba control.

The problem is people don't even know they're using pam
or why it's broken in samba, as is evidenced by some of
the bug reports we're getting.

The safest default is ship with pam *OFF*, then allow
admins who want it to turn it on. Simo is right, a smb.conf
option is the best solution here.

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------




More information about the samba-technical mailing list