Removal of plaintext krb5 support.
Andrew Bartlett
abartlet at pcug.org.au
Thu Nov 15 17:13:05 GMT 2001
Mike Gerdts wrote:
>
> On Thu, 2001-11-15 at 14:42, Green, Paul wrote:
> > I maintain the port of Samba for the Stratus VOS system, which is a
> > POSIX-but-not-Unix operating system. I can port and run a whole lot of open
> > source / free software that is POSIX-1996 compliant and that follows the GNU
> > autoconf/configure model (I even run the native configure script these
> > days). But we currently have nothing like PAM support and no plans to add
> > it. We don't have dynamic link libraries or dynamically loadable code,
> > either. (None of these things are in POSIX-1996). Having Samba require PAM
> > support would create a real headache for me. Please don't assume that we
> > are all running Unix systems.
> >
> > I do agree with your point about autoconf. I think it is truly marvelous.
>
> FWIW, the build environment for Linux-PAM provides a mechanism for
> building PAM staticly. I have never built it that way, so I cannot
> vouch for how well it works. I do, however, now have a better
> understanding of why one would want to do this.
>
> If Samba had and maintained something like --with-pam-static and
> --with-pam-static-modules=krb5,krb4,mylocalcustomhack then Samba could
> take advantage of PAM without the need for dynamically loaded modules.
> So long as you are happy with plaintext passwords, it also gives you an
> easy way to add custom authentication mechanisms without having to learn
> the (what I assume to be) twisted maze of Samba authentication. PAM
> modules are quite easy to write.
The twisted maze of Samba authenticaion has just had a 4 lane highway
driven straight through it. If you have a look a the curent HEAD code,
you will see a (resaonably) sane interface to these things (start at
check_password()), despite the challange-response nature of the
potocol. We are about to add loadable modules to this, and if anybody
wants to write a plaintext-krb5 module I would welcome it.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list