Removal of plaintext krb5 support.

Andrew Bartlett abartlet at pcug.org.au
Thu Nov 15 17:13:05 GMT 2001 

Mike Gerdts wrote:
> 
> On Thu, 2001-11-15 at 14:42, Green, Paul wrote:
> > I maintain the port of Samba for the Stratus VOS system, which is a
> > POSIX-but-not-Unix operating system. I can port and run a whole lot of open
> > source / free software that is POSIX-1996 compliant and that follows the GNU
> > autoconf/configure model (I even run the native configure script these
> > days).  But we currently have nothing like PAM support and no plans to add
> > it.  We don't have dynamic link libraries or dynamically loadable code,
> > either.  (None of these things are in POSIX-1996).  Having Samba require PAM
> > support would create a real headache for me.  Please don't assume that we
> > are all running Unix systems.
> >
> > I do agree with your point about autoconf. I think it is truly marvelous.
> 
> FWIW, the build environment for Linux-PAM provides a mechanism for
> building PAM staticly.  I have never built it that way, so I cannot
> vouch for how well it works.  I do, however, now have a better
> understanding of why one would want to do this.
> 
> If Samba had and maintained something like --with-pam-static and
> --with-pam-static-modules=krb5,krb4,mylocalcustomhack then Samba could
> take advantage of PAM without the need for dynamically loaded modules.
> So long as you are happy with plaintext passwords, it also gives you an
> easy way to add custom authentication mechanisms without having to learn
> the (what I assume to be) twisted maze of Samba authentication.  PAM
> modules are quite easy to write.

The twisted maze of Samba authenticaion has just had a 4 lane highway
driven straight through it.  If you have a look a the curent HEAD code,
you will see a (resaonably) sane interface to these things (start at
check_password()), despite the challange-response nature of the
potocol.  We are about to add loadable modules to this, and if anybody
wants to write a plaintext-krb5 module I would welcome it.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list