Bad fallover to next authentication module?

Andrew Bartlett abartlet at samba.org
Fri Jul 9 03:51:38 GMT 2004 

On Thu, 2004-07-08 at 19:34, Tom Alsberg wrote:
> On Thu, Jul 08, 2004 at 07:15:34PM +1000, Andrew Bartlett wrote:
> > If we want PAM like semantics, then we are going to need the complexity
> > of PAM syntax.  What exactly is it that you need, that causes you to
> > write a new auth module?
> 
> Well, we have our own "home-grown" network authentication system
> called IDng, which handles plain text, one-time, and NTLM passwords.
> I wrote an auth module for samba to interface with it.
> 
> In addition, we have stuff like disabled accounts, and authorization
> access control (which users may log in through which machines), and I
> put that also inside that module.  So if a user's account is disabled,
> it will return NT_STATUS_ACCOUNT_DISABLED, and if a user has no access
> to that client, it will return NT_STATUS_INVALID_WORKSTATION.
> 
> That works very well, except if we put other modules as well.  The
> thing is, that for some specific cases we have local accounts with
> entries in smbpasswd (not real people).  The problem is now the
> following (for example):
> 
> - Samba wants to authenticate user "dib".
> - Samba will first try the auth_idng module.
> - auth_idng successfully authenticated dib, but determined it may not
>   log in through this workstation, so it returns
>   NT_STATUS_INVALID_WORKSTATION.
> - Samba sees the auth_idng module failed, and goes on to try module
>   auth_sam.
> - auth_sam module does not even know who dib is, as dib has no entry in
>   smbpasswd.  So auth_sam returns NT_STATUS_NO_SUCH_USER.
> - Now Samba will return NT_STATUS_NO_SUCH user, although the user was
>   found and authenticated (although denied access) by a previous
>   module.  Samba should have returned NT_STATUS_INVALID_WORKSTATION.
> 
> I can bring similiar examples, but you get the point...

So, could we just swap the order?  That's why we add 'guest' at the
front, not the end, of the list.

> > Perhaps we should add 'account' modules, that are separate (where we
> > can hook in PAM etc)
> 
> Well, an authorization/account subsystem would be nice to have in
> Samba.  But if there would be more than one account module loaded,
> then it'd still need to do something more complex than just returning
> the last failure status if they all failed, or it wouldn't really
> solve the problem in case there is more than one accounting rule.

For an 'account' system, it would make sense to return the first
failure.

Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040709/0f94929a/attachment.bin

More information about the samba-technical mailing list