AuthRewrite Possbilities (was Re: Alternative Auth Methods.)

The DJ hartman at
Fri Nov 2 01:32:15 GMT 2001

> There seems to be a constant babble as people want to do interesting
> things with Authentication.  I've been working in this area for quite
> months now, and can now hold out some promise...
> The task is not nearly as difficult as it used to be.  I have done a
> large amount of work towards allowing this kind of thing (committed only
> 24 hours ago), so with a little more code it is quite possible.  (In
> HEAD, where I am working).
> There are a number of approaches, and a number of issues to be worked
> out.
> The best approach is the 'passdb' approach, where you write a custom
> passdb module, and that module queries the SQL database to get the
> user's SAM_ACCOUNT, containing the various password hashes.  This is
> then compared in the same way that a smbpasswd file is compared.
> AuthRewrite Backend:
> The other way is to write an authentication backend, (look at the code
> in smbd/auth*.c) and to have it query the database/remote
> server/whatever you like and return a SAM_ACCOUNT (and a few other
> things) as fully filled out as possible.
> For example, I think that it would be *very* neat to be able to send the
> NTLM challange/response packet to a modified kerberos server, where they
> could be checked.  This would give a single authentication database that
> is much easier to keep tabs on.
> There are *lots* of possibilities here - I've tried to create a flexible
> (but sane) interface and I hope others can make good use of it.  In
> particular it can change to meet the needs of developers.
> The main issue with both these approaches is 'what local system user
> should I become'?  If you intend to have local system users of the same
> names, then it is trivial, other options include mapping all users to a
> common guest account.
> A number of operating systems have 'account lockout/disabled' mechanisms
> that samba currently doesn't honor.  I've been working with Edmund Lam
> <epl at> on Tru64 TCB (see patch 494 on
>, but I know there must be others.  It is now
> possible to add a simple amount of code to disable/restrict these users
> in the same way /bin/login might.  We now have a single choke point -
> check_password() - no login will be accepted except via this point.
> Kerberos:
> Currently kerberos support (which Samba HEAD now supports) is tacked on
> the side.  This will be moved inside the authentication subsystem as
> soon as I get a chance.
> I know that a number of people are interested in this, so if you have
> ideas or questions about how the code works, or proposed patches, give
> me a yell.
> Note that is work is only in the HEAD development branch and due to the
> scale of the work *will not* be merged into the 2.2 series, it will
> appear as Samba 3.0 whenever that appears.
> Andrew Bartlett

Interesting, this might be used to support NetInfo someday. (Mac OS X)
Now if for once, apple assisted this little project, then we might be able
to provide ldap like netinfo support. That would be great.


> Sean Elble wrote:
>> Jason,
>> This question has come up rather frequently lately, and probably should be
>> added to a FAQ. Anyway, no functionallity exists in Samba to authenticate to
>> a SQL database, and such an option would probably be a rather difficult
>> piece of code to create. If this is truly what you want, you might want to
>> look for a PAM module that allows you to authenticate to a SQL database, and
>> then build Samba with PAM support, and use PAM through Samba to authenticate
>> your Windows users. This isn't a perfect solution, as it requires you to use
>> clear-text passwords, but it would indeed work. Hope that helps.
>> -----------------------------------------------
>> Sean P. Elble
>> Editor, Writer, Co-Webmaster
>> (Formerly
>> elbles at
>> -----------------------------------------------
>> ----- Original Message -----
>> From: "Jason C. Leach" <jleach at>
>> To: <samba at>
>> Sent: Wednesday, October 31, 2001 11:37 PM
>> Subject: Alternative Auth Methods.
>>> hi,
>>> Are there any alternative authentication methods for Samba? Other
>>> thank the smbpasswd file?  I'd like to do PostgreSQL or mySQL. Why?
>>> Because I can do Exim/IMAP/POP3 Apache/Zope with SQL, if I could do
>>> Samba it would wrap it up into one nice DB for authentication.
>>> It does not have to be much, just the ability to get the data from
>>> a SQL query rather than a flat file query.
>>> Anyone interested in working on this if it does not exist?

Universiteit Twente
Derk-Jan 'The DJ' Hartman
ICQnr: 10111559
Mail:  mailto:hartman at

More information about the samba-technical mailing list