Samba and PAM patches

Bikram Assal bikram_wku at yahoo.com
Sat Mar 15 07:15:48 GMT 2003 


First of all, I would express all my apologies.
I only intended to express some ideas or ask for any
suggestions by posting this patch on the Samba mailing
list.
Since this is my first time doing modification, I
might have done overlooked some points.

--- Andrew Bartlett <abartlet at samba.org> wrote:

> Indeed, if you are working with plaintext passwords
> (Win9X domain logons
> will do that, if not much more...), I don't see why
> you needed to modify
> Samba at all...
> 

Actually we were not working with plain-text
passwords.
We didnt want to use plain-text passwords.
As we read some time back and that was 1 year ago that
if we were to use emcrypted passwords, Samba would use
smbpasswd file to match the passwords.

In our case, since we wanted to use encrypted
passwords and since all the accounts are maintained on
Oracle database server, we didnt want to export all
the user details into smbpasswd file on the local
Linux Server since doing that would not keep
synchronization as and when users change their
passwords plus anytime any new student joins the
school we would have to then manually run the script
to export new usernames and passwords locally.
So, to work around that we thought of bypassing the
smbpasswd file lookup by Samba and get user account
information from remote Oracle Server.


> You open files in /tmp without regard for where they
> point, you have
> specifically disabled the tests that prevent the
> dangerous use of
> sprintf() an strcpy() and you haven't read the diff
> before posting
> (because you would have cleaned it up if you had).
> 

Opening a file in /tmp location was intended only for
the purpose of debugging.
That was supposed to be temporary.
I agree that I could have done a better work had I
read more on how to clean the patch.

 
> Any interface that allows the plaintext password out
> of the oracle
> server should be carefully considered - if you have
> the plaintext
> passwords so easily accessible, why not just write a
> perl script to
> export to smbpasswd?
> 

The same reason. By exporting to smbpasswd we would
have to make sure that accounts are synchronized
between remote Oracle server and the local Linux
Server that would run Samba Server. That was not
advisable.
Anytime a new account is created we would have to then
export it..

So, to achieve custom authentication, we modified the
PAM authentication routines to suit our needs.


And to bypass the smbpasswd file lookup by Samba
server and to get the challenge text used by Samba, we
modified the Samba Server source code.

Again, my whole intention was to share some views and
ideas with the Samba mailing list just to have your
suggestions and criticisms at the same time :) .

Being a rookie I guess I did mistakes I agree.

anyways, thanks a lot for your mail Andrew.


Bikram.

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com

More information about the samba-technical mailing list