[PATCH] Remove pam_smbpass module from Samba source code

Andrew Bartlett abartlet at samba.org
Sat Jan 24 22:18:25 MST 2015


On Fri, 2015-01-23 at 12:38 +0100, Volker Lendecke wrote:
> On Fri, Jan 23, 2015 at 10:48:27PM +1300, Andrew Bartlett wrote:
> > On Thu, 2015-01-22 at 20:37 +0100, Andreas Schneider wrote:
> > > Hello,
> > > 
> > > as the pam_smbpass module is unmaintained and bit rots. As Volker also 
> > > suggested, we remove it completely from the Samba source code.
> > > 
> > > 
> > > The same can be achieved using pam_winbind.
> > > 
> > > 
> > > If there is a reason why this can't be removed, please speak up!
> > 
> > The biggest thing this module does that pam_winbind doesn't do is the
> > 'migrate' option, which allows the samba password to be automatically
> > kept in sync.  We also need to be sure you can configure pam_winbind to
> > match exactly the pam_smbpass behaviour. 
> 
> Is that really used a lot? I'd say that you can fulfill most
> requirements with just the smbpasswd values being the
> only password source. But of course, if there's really high
> demand we can add this as a special mode or even a tiny pam
> module on its own to the winbind scenario.

Indeed.  In an ideal, theoretical sense, having both a unix and a Samba
password brings no advantages, and plenty of disadvantages.  I certainly
wish that we had, years ago, set a standard that if you used the Samba
password for local PAM logins, that we only used Samba passwords. 

Sadly, it is used in the default debian config of pam_smbpass (again,
this may not be ideal).

> > Finally, the thing pam_smbpass gives us is that it can run without
> > having a daemon running. 
> 
> For people who can't afford to run winbind at all, we could
> in theory add a "winbind on demand" mode that forks winbind
> when necessary. The gamin FAM library does something in that
> direction. I'd call this much better than linking in passdb
> and all its dependencies.
> 
> Volker
> 

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list