Bad fallover to next authentication module?
abartlet at samba.org
Fri Jul 9 03:51:38 GMT 2004
On Thu, 2004-07-08 at 19:34, Tom Alsberg wrote:
> On Thu, Jul 08, 2004 at 07:15:34PM +1000, Andrew Bartlett wrote:
> > If we want PAM like semantics, then we are going to need the complexity
> > of PAM syntax. What exactly is it that you need, that causes you to
> > write a new auth module?
> Well, we have our own "home-grown" network authentication system
> called IDng, which handles plain text, one-time, and NTLM passwords.
> I wrote an auth module for samba to interface with it.
> In addition, we have stuff like disabled accounts, and authorization
> access control (which users may log in through which machines), and I
> put that also inside that module. So if a user's account is disabled,
> it will return NT_STATUS_ACCOUNT_DISABLED, and if a user has no access
> to that client, it will return NT_STATUS_INVALID_WORKSTATION.
> That works very well, except if we put other modules as well. The
> thing is, that for some specific cases we have local accounts with
> entries in smbpasswd (not real people). The problem is now the
> following (for example):
> - Samba wants to authenticate user "dib".
> - Samba will first try the auth_idng module.
> - auth_idng successfully authenticated dib, but determined it may not
> log in through this workstation, so it returns
> - Samba sees the auth_idng module failed, and goes on to try module
> - auth_sam module does not even know who dib is, as dib has no entry in
> smbpasswd. So auth_sam returns NT_STATUS_NO_SUCH_USER.
> - Now Samba will return NT_STATUS_NO_SUCH user, although the user was
> found and authenticated (although denied access) by a previous
> module. Samba should have returned NT_STATUS_INVALID_WORKSTATION.
> I can bring similiar examples, but you get the point...
So, could we just swap the order? That's why we add 'guest' at the
front, not the end, of the list.
> > Perhaps we should add 'account' modules, that are separate (where we
> > can hook in PAM etc)
> Well, an authorization/account subsystem would be nice to have in
> Samba. But if there would be more than one account module loaded,
> then it'd still need to do something more complex than just returning
> the last failure status if they all failed, or it wouldn't really
> solve the problem in case there is more than one accounting rule.
For an 'account' system, it would make sense to return the first
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040709/0f94929a/attachment.bin
More information about the samba-technical