Andrew, Thanks for your detailed response on this subject.
Oh - I knew that when I composed my message. That is also clear - PAM does not support the challenge/response mechanism needed. It still seems to me that it should somehow be possible, if coded right. Let's say we have PAM setup on the system to actually authenticate against the smbpasswd file, or an OpenLDAP server storing the passwords in encrypted form. Is there no way to do the handshaking at the Samba level, with just one call to PAM? Or do we need to read the 16-byte hash or whatever is stored in the smbpasswd file, in order to check the password? I can see PAM not letting us do that....As everyone on this list is probably aware, the use of encrypted
passwords and PAM password authentication are an apparently mutually
exclusive options with Samba 2.2.x. This is stated up front in the help
for the 'obey pam restrictions' option in the man page I believe.
Just to make this clear, this is not of our choosing, it is just a matter of how the protocol works.
Ok - on plain texts passwords, you state:
The domain in this case is controlled by Samba. Most of the clients are Windows 95/98 clients, and testing with Windows 98 seems to show that it can do a 'domain logon'. For the record, I know that this is not quite the same as the domain logon that Windows 2000 or NT clients will do, and I have yet to test one of those clients. (I spent a LOT of time working through the domain logon stuff a couple of years ago when working on those chapters of 'Special Edition, Using Samba' with Richard Sharpe). Anyway, I would only consider this switch to plaintext passwords a temporary measure while I come up with something better.It would also prevent domain logons, and exposes bugs in other parts of Microsoft's client.
Sounds like I need to pull a copy of HEAD from CVS and start getting familiar with Samba 3.0. Of course, I am assuming that the HEAD revision is Samba 3.0 work in progress?I think that the easiest way to do this would be to look into Samba 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values. This could update the same database that pam_tally uses.
Well, I have been looking for a contribution to make to Samba for a long time. My last direct contributions involved some OS/2 client related debugging of Samba back in 1995, so its been a while! It sounds like this may be an area I could work on.We certainly need to work on this, and a number of other 'enterprise grade' features. There are a number of things that, as developers, we don't notice, but user feedback (and in some cases, very good patches!) has allowed us to support. This feature in particular should be picked up when we finish implementing and better integrating account policy support.
Ok - thanks for the advice. Should I consider Samba 3.0 (CVS) as the best starting point for such a process?Alternatively, how difficult would it be to modify Samba to support an
option like this directly, within the constructs of the smbpasswd file?
Yes, your best option is to modify Samba,
--
Jim Morris ([EMAIL PROTECTED])
