NI_PAM Installation Document
1. Overview
NI_PAM is software that provides pluggable authentication and single-sign-on in Windows NT operating system.  By its nature as a logon program, implementation of NI_PAM is somewhat complex.  This document tries to help you install NI_PAM in your Windows NT.  For more about NI_PAM, please refer to the paper "NI_PAM : Pluggable Authentication Module in Windows NT".


2. Files.
The following are the files contained in this archive:
ni_pam.dll 	The main part of NI_PAM that implements Pluggable Authentication Module.
ni_gina.dll	The GINA that uses NI_PAM.  
ni_krb4.dll	Kerberos 4 authentication module.
ni_krb5.dll	Kerberos 5 authentication module.
ni_nw.dll	Netware 4.0 authentication module.
ni_sc.dll		CyberFlex JavaCard password obtaining module.
krb.con, krbrealm.con
		Sample configuration files for Kerberos 4.
krb5.ini		Sample configuration file for Kerberos 5.
Krb5_32.dll, krbv4win.dll, pc3comm.dll
DLLs for specific network providers.  You might not need these files if the network providers are already installed in your machine.


3. Installation.
Installation of NI_PAM is achieved with 3 steps.
1) Install network providers you want to use (e.g. kerberos 4, kerberos 5, netware, smart card)
2) Copy NI_PAM DLLs (ni_pam.dll, ni_gina.dll, ni_krb4.dll, ni_krb5.dll, ni_nw.dll) to the directory you want to store them.
3) Modify registry to tell Winlogon and NI_PAM where NI_PAM DLLs can be found and what authentication behavior is required.
	
1) I describe how I implemented network providers for reference.
* Kerberos 4 
I used Krbv4win-970627 package.
Copy krbv4win.dll to \Winnt\System32.
Set KRBTKFILE = \net\kerb\krb4tgt.
Set NDIR \net.
Put configuration files (krb.con and krbrealm.con) to \net\kerb.
* Kerberos 5
I used MIT distribution of Kerberos 5 NT Alpha 2 Snapshot. 
Copy  krb5_32.dll to \Winnt\System32.
Put configuration file (krb5.ini) in \Winnt.
* Netware 4.0
Netware 4.0 client implementation is automatically done with setup.exe.
* Smart Card (CyberFlex JavaCard)
Set serial port number 2 (COM2) to 8/E/1.
Attach pc3 reader to COM2 port.


2) I copied all of NI_PAM DLLs (ni_pam.dll, ni_gina.dll, ni_krb4.dll, ni_krb5.dll, ni_nw.dll, ni_sc.dll) to \Winnt\System32.

3) I added four values in the Registry.  
The key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon.
Values are:
ni_gina_auth:	required D:\Winnt\System32\ni_krb4.dll optional D:\Winnt\System32\ni_krb5.dll optional D:\Winnt\System32\ni_nw.dll
ni_gina_obtain:	required D:\Winnt\System32\ni_sc.dll
(You do not have to add ni_gina_obtain value if you are not using smart card.)
ni_gina_chpass:	required D:\Winnt\System32\ni_krb4.dll required D:\Winnt\System32\ni_krb5.dll required \Winnt\System32\ni_nw.dll
(Since we have not completed change password module yet, you do not have to add ni_gina_chpass value.)


4. Known problems.
NI_PAM is now under development and therefore has several immature features.  Especially NI_GINA is the most incomplete part.  For example, NI_GINA does not support any of change password, screen lock, listening to SAS, user profile, static account, AFS support.  These problems should be addressed.