I believe, strictly speaking, that's an application error - the application should call PAM *before* any NSS calls if at all possible, exactly for this reason. Last I checked, most didn't - which breaks Kerberos template users (and any other username-rewriting) The "correct" solution here is to fix the app, if at all possible - which applications are you using? Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Chris Jaeger [mailto:cjaeger@ensim.com] Sent: 11 June 2001 23:35 To: pam-list@redhat.com Subject: Re: PAM and the pwd.h interface Hi Adam, I'd actually posted this to the pam-list around a couple of months ago, when I was trying to figure out what the proper behavior for an application was supposed to be with regards to handling usernames/testing for the existence of a user. In essence, for my application I'd like to be able to translate usernames. PAM handles this fine; I call pam_authenticate with the given username, if that is successful, I retrieve the new username, and then go on from there. However, 98% (an exact figure ;) of the applications out there seem to call getpwnam() to test for the existence of a user before trying to authenticate, and as my pre-translated users don't exist, I never get a chance to authenticate. One can use pam_authenticate() to test for the existence of a user, but that isn't perfect either; I don't necessarily want to authenticate. This can be fixed with pam_rootok, but only if you are root. So my original question was trying to determine if someone had written a pwd library that does something along the lines of pam_authenticate() to test for user existence, and then uses the getpwnam function to retrieve the user's attributes. I'll probably just write an nss library that performs the same translation as my PAM module. It does seem a little bit awkward that one has to write two libraries conforming to separate APIs in order to authenticate a user and retrieve his or her attributes. I do agree with Nicolas though, that targeting the read-side of the API(s) may be more appropriate. Regards, Chris Adam Slattery wrote: > > On Mon, 11 Jun 2001, Chris Jaeger wrote: > > > Hi, > > > > This could get me part of what I want, but would > > involve me implementing a new libnss_xxx library, duplicating > > some of what I already did for my PAM module. Oh well, > > at least there is the option to plug in something different. > > > > Thanks, > > Chris > > There is still hope. Keep watching this thread, Nicolas and I are having a > little discussion. In fact, I postponed my reply to his message to read > this one... :) > > What does your PAM module do? > > You might provide further support for the ideas Nicolas and I are talking > about with additions to the Linux-PAM api. I'm going to get back to my > other message. > > - Adam Slattery > aslattery@sunriselinux.com _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
