Bad fallover to next authentication module?

Tom Alsberg alsbergt at cs.huji.ac.il
Thu Jul 8 09:34:32 GMT 2004


On Thu, Jul 08, 2004 at 07:15:34PM +1000, Andrew Bartlett wrote:
> If we want PAM like semantics, then we are going to need the complexity
> of PAM syntax.  What exactly is it that you need, that causes you to
> write a new auth module?

Well, we have our own "home-grown" network authentication system
called IDng, which handles plain text, one-time, and NTLM passwords.
I wrote an auth module for samba to interface with it.

In addition, we have stuff like disabled accounts, and authorization
access control (which users may log in through which machines), and I
put that also inside that module.  So if a user's account is disabled,
it will return NT_STATUS_ACCOUNT_DISABLED, and if a user has no access
to that client, it will return NT_STATUS_INVALID_WORKSTATION.

That works very well, except if we put other modules as well.  The
thing is, that for some specific cases we have local accounts with
entries in smbpasswd (not real people).  The problem is now the
following (for example):

- Samba wants to authenticate user "dib".
- Samba will first try the auth_idng module.
- auth_idng successfully authenticated dib, but determined it may not
  log in through this workstation, so it returns
  NT_STATUS_INVALID_WORKSTATION.
- Samba sees the auth_idng module failed, and goes on to try module
  auth_sam.
- auth_sam module does not even know who dib is, as dib has no entry in
  smbpasswd.  So auth_sam returns NT_STATUS_NO_SUCH_USER.
- Now Samba will return NT_STATUS_NO_SUCH user, although the user was
  found and authenticated (although denied access) by a previous
  module.  Samba should have returned NT_STATUS_INVALID_WORKSTATION.

I can bring similiar examples, but you get the point...

> Perhaps we should add 'account' modules, that are separate (where we
> can hook in PAM etc)

Well, an authorization/account subsystem would be nice to have in
Samba.  But if there would be more than one account module loaded,
then it'd still need to do something more complex than just returning
the last failure status if they all failed, or it wouldn't really
solve the problem in case there is more than one accounting rule.

> Andrew Bartlett

  Cheers,
  -- Tom

-- 
  Tom Alsberg - hacker (being the best description fitting this space)
  Web page:	http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER:  The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.


More information about the samba-technical mailing list