RFC: Wine and PAM integration

Fri Sep 20 14:25:20 CDT 2002

I played a couple of days with PAM (Pluggable
Authentication Modules). I do not have big experience
in this area and want to know your opinion about my
ideas.

*** PAM short explanation ***

PAM 
<From PAM for Linux documentation>
Linux-PAM (Pluggable Authentication Modules for Linux)
is a suite of shared libraries that enable the local
system administrator to choose how applications
authenticate users. 
It is possible to switch between the authentication
mechanism(s) without (rewriting and) recompiling a
PAM-aware application. Indeed, one may entirely
upgrade the local authentication system without
touching the applications themselves.
</From PAM for Linux documentation>

PAM-aware application requests authorization using
predefined id - PAM service name.
System administrator configures the application
authorization bas

PAM service name identifies set of authorization
parameters.

For more information see
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/

Note, that application does not see parameters of the
authorization process, e.g password, Windows NT domain
name, authorization server. The application only knows
user name and service name.

*** PAM and Wine ***

Integration with PAM allows Wine to provide
authentication services for Windows applications
through Windows API. PAM has modules for native Unix
authentication, Samba, flat files, relational
databases.

Example:

Windows ftp server application, running under Wine can
be configured to use any method of authorization,
provided by PAM - Windows domain, flat file,
relational database. This authorization can be made
different from the authorization, required to run wine
itself and different from default authorization for
Wine applications.

Following PAM services can be configured for Wine from
more general to more detailed:

* PAM service for Wine itself

* Default Wine Applications service - default service
which provides
  authentication for Windows applications.
  Exact name of the service will be specified in the
  Wine configuration is used if not specified.

* Application-Specific Service Name
  specified in the AppDefaults section of the
.wine/config file for given application.
  Default Application  service is used if not
specified

Questions, problems:

Do we have requirement for wineserver to work across
user boundaries?
If no, then we probably don't need PAM service for
Wine itself.

As you see Wine won't know anything about NT domains.
I was thinking about passing service name through
domain name parameter.

Example:

Call LogonUser accepts lpszDomain parameter. Instead
of the domain name DOMAIN1 user provides to the
application PAM service name SERVICE1.
PAM service SERVICE1 is configured to use Samba module
for authentication in NT domain DOMAIN1.

PAM provides authorization and nothing else. To get
more information from the authorization provider you
should access it directly. E.g. with PAM only it is
impossible to get list of users, groups from Windows
NT domain, which user belongs to which group. Even
more, it is impossible to know that some PAM service
underneath uses NT domain and name of this domain.

I can't imagine how to implement with PAM scenario
like this - Windows application  gets list of users
belonging to some group, presents it to the user, then
does authentication for one of user names.
On other hand it is possible to do that with Samba.

It seems it is better to ingegrate Wine with each
protocol individually - implement PAM-like
architecture inside Wine, but this architecture will
provide much more information to Wine.
The downside - this is much more complex approach than
PAM.

Andriy

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com