
Why authenticate Linux users against a Netware box?
--------------------------------------------------

The pam_ncp_auth module is designed for use in environments where users have 
already been given Netware accounts and the requirement to have two separate
passwords would be a barrier to the deployment of Linux. 

A pam_ncp_passwd module allowing users to also change their passwords is also 
planned.


How come it only took a few hours to put it together from scratch?
-----------------------------------------------------------------

This module is based on the ncpfs utilities developed by Volker Lendecke,
and is dynamically linked to the library routines contained therein. Therefore,
the ncpfs utilities are a prerequisite for compiling this module.

The most up-to-date version of the utilities can generally be found at 
	ftp://platan.vc.cvut.cz/pub/linux/ncpfs/latest

It is my intention to make this module stand alone, for simplicity and for
licensing reasons.


Configuration
-------------

The pam_ncp_auth module recognises one option, which is required (and may
be repeated):
	"server=<ServerName>"
Except that, it recoginzes five options:
	-d : turn on debugging output
	-v : display reasons login failures on terminal (default)
	-q : do not display login failures
	-s : disallow SUPERVISOR from logging-in
	-S : disallow SUPERVISOR equivalent from logging-in (NYI)
	

This module is designed to run alongside locally stored passwords. For example,
my /etc/pam.d/login file during testing looked like this:

auth       required     /lib/security/pam_securetty.so
auth       requisite    /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_ncp_auth.so use_first_pass server=ROB-SERVER

This has the effect that users are only looked up on the Netware server if the
password they type fails to match the locally stored password. Hence local-only
users (such as root) are supported in this configuration.


David Woodhouse <Dave@imladris.demon.co.uk>
4/3/98

OK, to get it to work on my Debian - potato box, I have to use following
items in /etc/pam.d/login:

#%PAM-1.0
#[For version 1.0 syntax, the above header is optional]
#
# The PAM configuration file for the `login' service
#
auth       requisite  pam_securetty.so
auth	   required   pam_env.so
auth	   required   pam_nologin.so
auth       optional   pam_group.so
auth       sufficient pam_unix.so
auth	   sufficient pam_ncp_auth.so use_first_pass server=CDROM
auth	   required   pam_deny.so
account    requisite  pam_time.so
account    required   pam_unix.so
session    required   pam_unix.so
session    optional   pam_motd.so
session    optional   pam_mail.so
session    optional   pam_lastlog.so
password   required   pam_unix.so

Petr Vandrovec <vandrove@vc.cvut.cz>
9/23/99
