I played a couple of days with PAM (Pluggable Authentication Modules). I do not have big experience in this area and want to know your opinion about my ideas.
*** PAM short explanation ***
PAM <From PAM for Linux documentation> Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. It is possible to switch between the authentication mechanism(s) without (rewriting and) recompiling a PAM-aware application. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves. </From PAM for Linux documentation>
PAM-aware application requests authorization using predefined id - PAM service name. System administrator configures the application authorization bas
PAM service name identifies set of authorization parameters.
For more information see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
Note, that application does not see parameters of the authorization process, e.g password, Windows NT domain name, authorization server. The application only knows user name and service name.
*** PAM and Wine ***
Integration with PAM allows Wine to provide authentication services for Windows applications through Windows API. PAM has modules for native Unix authentication, Samba, flat files, relational databases.
Example:
Windows ftp server application, running under Wine can be configured to use any method of authorization, provided by PAM - Windows domain, flat file, relational database. This authorization can be made different from the authorization, required to run wine itself and different from default authorization for Wine applications.
Following PAM services can be configured for Wine from more general to more detailed:
* PAM service for Wine itself
* Default Wine Applications service - default service which provides authentication for Windows applications. Exact name of the service will be specified in the Wine configuration is used if not specified.
* Application-Specific Service Name specified in the AppDefaults section of the .wine/config file for given application. Default Application service is used if not specified
Questions, problems:
Do we have requirement for wineserver to work across user boundaries? If no, then we probably don't need PAM service for Wine itself.
As you see Wine won't know anything about NT domains. I was thinking about passing service name through domain name parameter.
Example:
Call LogonUser accepts lpszDomain parameter. Instead of the domain name DOMAIN1 user provides to the application PAM service name SERVICE1. PAM service SERVICE1 is configured to use Samba module for authentication in NT domain DOMAIN1.
PAM provides authorization and nothing else. To get more information from the authorization provider you should access it directly. E.g. with PAM only it is impossible to get list of users, groups from Windows NT domain, which user belongs to which group. Even more, it is impossible to know that some PAM service underneath uses NT domain and name of this domain.
I can't imagine how to implement with PAM scenario like this - Windows application gets list of users belonging to some group, presents it to the user, then does authentication for one of user names. On other hand it is possible to do that with Samba.
It seems it is better to ingegrate Wine with each protocol individually - implement PAM-like architecture inside Wine, but this architecture will provide much more information to Wine. The downside - this is much more complex approach than PAM.
Andriy
__________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com