Bad fallover to next authentication module?

Andrew Bartlett abartlet at
Thu Jul 8 09:15:34 GMT 2004

On Thu, 2004-07-08 at 18:48, Tom Alsberg wrote:
> I've observed that the auth subsystem will just try the next
> authentication module on any failure of the current one - is that
> intentional?

It is.

> I see it as a problem, since I cannot, for example, put a module on
> the beginning of the chain that will impose additional restrictions on
> authentication.

The auth modules are really not intended to provide a way to enforce
restrictions beyond the operation of each module.

> But that's probably not really correct either.

I'm not sure that the error from an earlier module is more relevant then
that from a later module.

> Why not use a scheme like in PAM, where there would be
> NT_STATUS_IGNORE which will go to the next module, and a failure will
> really be considered a failure (of course, if all modules do
> NT_STATUS_IGNORE, then it'll still fail)?
> Or, what should modules do in such cases?

The current system really is designed for a single module per
authentication - that is, only one module will actually be appropriate
for a given authentication.

If we want PAM like semantics, then we are going to need the complexity
of PAM syntax.  What exactly is it that you need, that causes you to
write a new auth module?

Perhaps we should add 'account' modules, that are separate (where we can
hook in PAM etc)

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list