Samba NIS+ support

Gerald Heinig heinig at hdz-ima.rwth-aachen.de
Thu Dec 17 09:41:17 GMT 1998 

Hi all,

Bad news on the NIS+ front, I'm afraid. It seems I completely
underestimated the time needed for my college work and setting up our
department network here. I was banking on having finished both tasks by
end of november and having december to do a bit of work on the NIS+
account management on Samba. No such luck: I've run into a load of
unforeseen problems with my paper and although our department is now up
and running smoothly with Samba 2.0beta2 / NT 4 SP3 (great job, guys! )
there were a lot of time-consuming teething problems.
The outlook for me next year is ultra-bleak timewise, so, regrettably,
I can't do anything on Samba/NIS+ above the hobby level. I hope I
haven't let anybody down... if so, my apologies.

I would, however, like to get an answer to a problem which will have to
be solved if NIS+ is used as the main account database. NIS+
authenticates users with a public key system which involves NIS+
decrypting the user's private key with his password when he logs in, and
storing the private key in the keyserver for future reference. The
private keys are lost when the machine is rebooted or when the user
issues a keylogout request. The problem we have here is that on a
machine other than the root master server running NIS+ and Samba, any
user that *hasn't* yet logged in to UNIX at least once (which stores the
private key in the keyserver on the UNIX box) is set to UID nobody and
consequently has virtually no access rights ie. NFS mounts of home
directories do not work (since the user is unauthenticated) and all
files are created with UID nobody. The user either has to log in once to
the UNIX machine (which performs the keyserver store automatically) or
do a telnet to the UNIX box and do a keylogin.
Of course Samba could do all that, but it would need the user's
cleartext password, which is normally encrypted when it arrives from the
NT box. The question is, can Samba generate the cleartext password from
the NT hash, or would we have to store the cleartext password in NIS+,
perhaps encrypted with some other key known only to NIS+?

Cheers,

Gerald

More information about the samba-ntdom mailing list