Re: PAM w/ Samba

From: George <jirka 5z com>
To: Richard Duran <rduran dallasairmotive com>
Cc: gdm sunsite dk
Subject: Re: PAM w/ Samba
Date: Wed, 12 Nov 2003 17:47:28 -0500

On Wed, Nov 12, 2003 at 03:27:43PM -0600, Richard Duran wrote:
> This works just fine, except when the PDC has the "User must change
> password at next logon" checkbox selected (when a new account is created
> with this set, or a password has been reset). In this case, PAM comes
> back with NT_STATUS_PASSWORD_MUST_CHANGE. When this happens, GDM pops-up
> an "Authentication failed". It would be nice to have GDM request a new
> password from the user. (They only get the pop-up when they type the
> correct password that needs to be changed, if they type the incorrect
> password, GDM display the text "Incorrect username or password...").
> 
> Are there any plans to incorporate a feature to request a new password,
> or is this the responsibility of the pam_smb module?

This should be the responsibility of the pam_smb module as far as I understand
it.  GDM will just proxy what the pam module asks, and it doesn't really know
anything about these things.

> Secondly, since we are authenticating against a Windows PDC, we are
> forced to login using "PDC\user". It would be nice if GDM could detect
> the existence of "/etc/pam_smb.conf" and allow the user to select either
> "<hostname>" or "<domainname>". Of course, this is only a matter of
> aesthetics.

Some more work should go into using the binary interface to pam, and 
gdm could have a much more fun conversation with the pam modules.  Then
they could give gdm much more info on how to present some information.
Somebody feel free and send me a patch since I don't have the time to do this,
but it is entierly possible as far as I understand it within the limits of
the pam binary response thingies, which linux pam supports I think.  Obviously
this needs modification to the pam_smb module to know when it can use a more
higher level protocol (what it really needs is a way to query for a list
of different things and gdm could perhaps present that as a combo box
or option menu or some such)

> Any pointers would be appreciated. I would be glad to donate my time and
> programming to the cause if needed.

Feel free.  I would be very happy to include any such changes needed for gdm
to make this nicer.  I think we have long ago outgrown the 'text response'
only protocol of pam and we need more.  One other possibility would be to
define a nicer way for PAM to get authentication to the X server (right now
it can semi-reasonably get the display name, but authentication is another
matter) then pam could run it's own gui without any trouble.  This would allow
even more flexibility for the pam modules.  Some thought needs to go in that though
since running things from pam really hangs the gdm slave until those things end.

George

References:
- PAM w/ Samba
  - From: Richard Duran

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]