[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NTDOM: pam for nt domains, version 0.1.



Luke Kenneth Casson Leighton wrote:
> 	http://mailhost.cb1.com/~lkcl/pam-ntdom/

Can you double check this?  I had some difficulty getting to this
website.

> i have a couple of really silly, questions, having had a quick look at the
> web site and documentation.
> 
> 1) where do i go to to give me a step-by-step guide to installing pam?  i
> have slackware-3.1, kernel 2.1.26, the security modules, Linux-PAM-0.57,
> pam-smb.0.5, pam-ntdom-0.1, edited modules/Makefile to add pam_smb and
> pam_ntdom, got defs/linux.defs as the default.defs; done make; make
> install; copied conf/pam.conf to /etc; created /etc/pam-smb.conf, run
> examples/check_user and examples/blank, and the ntdom pam doesn't run. 
> now i'm afraid to reboot, just in case something goes horribly
> pear-shaped. 

Take a look in the /var/log/messages file (it may be somewhere else on
a Slackware system..)  PAM likes to send errors to this file so you
may be able to work out what is going wrong there.

Since you are using Slackware (which does not use PAM by default) I
don't think your system will break if you mess PAM up.

> the second best.  does the pam api support functionality that mirrors the
> NT domain setup (described below):
> 
> - NT workstations have to join a domain ("Welcome to the SAMBA Domain",
> for example.  and they can be made to leave a domain.  this is done by
> setting up a "Trust Account" relationship between the workstation and the
> server, and is typically only done once, and only by the administrator of
> the Domain.

The answer to this is no.  Not explicitly.  The X/Open group are
trying to enhance PAM so it will support some of these ideas, but my
reading of their spec did not inspire confidence that this will happen
any time soon.

> this is implemented as if the workstation itself is logging in to the
> domain, not a user, and can only be done by the administrator.  the
> alternative is to have the administrator manually add the workstation to
> the domain, which is a pain.

UNIX is not any flavor of Windows.  UNIX (the kernel) has a very open
notion of networking that does not identify other machines as superior
to it.  From a UNIX perspective the equivalent ideas are handled at
the application layer.  (Daemons and libraries/APIs:  This is how
SAMBA works...)

> - NT workstations, on start-up, contact the Domain Controller and maintain
> an open session with it until the workstation is shut down.  once a week,
> the workstation will change the "Workstation Trust Account" password.
> 
> - NT users log in, obtain their profile info (equivalent to the other
> fields in /etc/password or NIS+ database) and when finished, logout.

> to summarise the above:
> 
> is there an api to "add" and "remove" accounts (don't know);

Not within PAM.

> is there an api to "initialise" and "terminate" a session (don't know); 

There are the pam_open/close_session() functions.  These could
probably be implemented as you need them for individual users with a
suitable module, but if you are looking to implement a session for the
machine as a whole, I think this is better done with some 'init'
scripts in /etc/rc.d/... .

> is there an api to "login", "obtain user-specific info", "logout" a user
> (login, yes: profile, don't know: logout, don't know). 

Not really a single API.  PAM was originally designed with the sole
purpose of authentication in mind.  The need for things of this nature
is something that has been recognized.  PWDB was an attempt to address
this from Linux's perspective.  Together with Cristian Gafton, I
started this but then got too busy to continue.  The pam_pwdb module
is the default for Red Hat now so I'm hoping more work will be done
on this in the future...

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []