[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pwdb and shadow



On Mon, 2 Nov 1998, Seth Chaiklin wrote:

> I'm glad that you mention this idea.  It raises what seems like a kind of
> contradiction (to me at least) between pwdb.so and other modules.
> 
> If I understand what you want to do, then you do not need to use or
> modify pwdb.so at all.  You simply use the pam_smb module that is
> available.

My understanding of pam_smb might be flawed then.  I was under the
impression that pam_smb only relayed authentication requests to a PDC.

What I suggested was adding the ability for pwdb to generate (and use) the
hashed passwords that Samba would be generating if its own encryption were
enabled.  This way, I wouldn't need to disable encrypted passwords on my
NT and Win98 PCs, and wouldn't have to worry about keeping Unix and
Windows passwords synched (because they would already be).

> I get the impression that when pwdb was originally launched, there was an
> idea (hope? expectation?) that other authentication processes could be
> included in the library.  Then you would not need a separate module for
> Samba NT, Novell, Radius, TACAS, etc..you would just stick your
> pam_pwdb.so into your config files, and then use /etc/pwdb.conf to
> select the databases that should be used.  

You might be confusing authentication with user information here.  I think
pwdb's original aim was to provide the services that glibc's nsswitch
mechanism does now: a pluggable method for pulling user information from
multiple databases when libc's way of doing it made it difficult to
extend.  That most of these databases also held an encrypted password
which could be used for authentication (by pam_pwdb) was a stroke of luck
and/or genius.

One of the biggest wins was that shadow passwords became much easier to
integrate into a system:  because PAM already put authentication in a
common place, you just had to add shadow password support to pam_pwdb for
all of your PAMified applications to benefit.

> But is seems that (a) new databases have not been added to pwdb, and (b)
> it seems that new authentication modules are being developed and refined
> outside of pwdb, such that (c) pwdb can be viewed primarily as a
> unix/shadow/nis authentication module (plus the other account / password
> management modules -- there is a confusing terminology in PAM because the
> entire module in /lib/security is called a module, but then each module
> can have 4 modules).

That's true, and it stems from pwdb itself not being updated in a while.
The appearance of glibc in the interim has probably made writing modules
for NSS more attractive; if the NSS module used provides the pw_passwd
field in replies to getpwXXX calls, there's no reason that the pam_unix
modules can't do the job.

Nalin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []