Samba and PAM patches

[Andrew Bartlett]

On Sat, 2003-03-15 at 18:15, Bikram Assal wrote:
> 
> 
> First of all, I would express all my apologies.
> I only intended to express some ideas or ask for any
> suggestions by posting this patch on the Samba mailing
> list.
> Since this is my first time doing modification, I
> might have done overlooked some points.
> 
> --- Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > Indeed, if you are working with plaintext passwords
> > (Win9X domain logons
> > will do that, if not much more...), I don't see why
> > you needed to modify
> > Samba at all...
> > 
> 
> Actually we were not working with plain-text
> passwords.
> We didnt want to use plain-text passwords.
> As we read some time back and that was 1 year ago that
> if we were to use emcrypted passwords, Samba would use
> smbpasswd file to match the passwords.
> 
> In our case, since we wanted to use encrypted
> passwords and since all the accounts are maintained on
> Oracle database server, we didnt want to export all
> the user details into smbpasswd file on the local
> Linux Server since doing that would not keep
> synchronization as and when users change their
> passwords plus anytime any new student joins the
> school we would have to then manually run the script
> to export new usernames and passwords locally.
> So, to work around that we thought of bypassing the
> smbpasswd file lookup by Samba and get user account
> information from remote Oracle Server.

Good answer.  And more importantly the correct answer - the problem is
you picked the wrong layer.  

See the code in source/passdb, particularly in HEAD.  If you have ready
access to the DB server, then this is the idea place to implement your
module.  Look on the net for jelmer's pdb_sql module, as it will
probably do most of what you want already.

> > You open files in /tmp without regard for where they
> > point, you have
> > specifically disabled the tests that prevent the
> > dangerous use of
> > sprintf() an strcpy() and you haven't read the diff
> > before posting
> > (because you would have cleaned it up if you had).
> > 
> 
> Opening a file in /tmp location was intended only for
> the purpose of debugging.
> That was supposed to be temporary.
> I agree that I could have done a better work had I
> read more on how to clean the patch.
> 
>  
> > Any interface that allows the plaintext password out
> > of the oracle
> > server should be carefully considered - if you have
> > the plaintext
> > passwords so easily accessible, why not just write a
> > perl script to
> > export to smbpasswd?
> > 
> 
> The same reason. By exporting to smbpasswd we would
> have to make sure that accounts are synchronized
> between remote Oracle server and the local Linux
> Server that would run Samba Server. That was not
> advisable.
> Anytime a new account is created we would have to then
> export it..

Cronjobs work well, but you have to take care of nsswtich anyway, so you
should try and integrate your solution.  Indeed, live lookups have many
properties that make them highly advisable.

> So, to achieve custom authentication, we modified the
> PAM authentication routines to suit our needs.

Why force this into PAM?  PAM may be good for some things, but this is
one thing it's not good at...

Anyway, look into creating a passdb module for 2.2 or 3.0 (3.0
recommended).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030315/7388ac57/attachment.bin