Samba PDC as a password server

Dana Canfield canfield at
Wed Apr 29 17:18:09 GMT 1998

Luke Kenneth Casson Leighton wrote:

> [cross-posting to samba-ntdom and pam-list]
> On Wed, 29 Apr 1998, John R Lane wrote:
> > It would seem that one could use PAM (for those running Solaris or RH
> > Linux, at least) on the unix side and have it relay a user's (correct)
> > password to the samba server.
> oo.  that's an excellent idea.

For a few more days, I've got a spare machine that I could try this out
with.  My PAM skillsare horrendous (see below), but if anyone wants to give
me an idea of how to go about this, I can
try it out and see if it works.

This brings up another question/problem.  I assume this setup would use
PAM_NTDOM somehow, right?
Has anyone tried it with a really large passwd file?  I'm extremely cautious
of PAM right now.  When I first
installed Linux on our systems, I didn't notice that PAM authentication with
pam_pwdb took well over a second
to validate a user (our password file is over 2000 users). This may not seem
like long, but we service about 50-80
POP3 connections per minute.  As you can guess, the system bogged down to a
halt within about 15 minutes.
Switching to pam_unix_* more or less fixed the problem, but it's still not
as fast as a POP server compiled without
PAM support.  (I'm certainly open to the possibility that this might be a
configuration error, but RedHat had no
suggestions, either.)  My concern is that if PAM_NTDOM isn't lightning-fast,
it may not be feasible for large
installations to use it for Samba authentication across multiple machines,
which is kind of the point, right?
(BTW, this is the only time I've encountered any "scalability problems with
Linux", which seems to be the
popular vague ciriticism of it right now.)

> >  Not pretty, but ... has anyone done
> > this?  Of course, this would mean they would have to log into a unix
> > box first.
> not necessarily...

 I just love these vague two-word optimisms from Luke.  They really keep the
wheels turning on this list.
"Well, Luke said it wasn't impossible, so there must be a way..." ;-)


More information about the samba-ntdom mailing list