[NTDOM] NISGINA revisited
jeremy garber
jgarber at eng.utoledo.edu
Wed Mar 4 19:03:57 GMT 1998
Sorry, I was afraid that I wasn't clear enough in my original post and it
appears I was correct. I'll try to help here:
Gerald W. Carter wrote:
>
> jeremy garber wrote:
> >
> > I currently have the NTDOM code functional on a test basis.
> > I also have NISGINA configured to automatically create and update the
> > smbpasswd entries on a test basis when logging into a samba domain. Of
> > course the NT policies (something we must have functional) that are
> > stored on the samba server are not being pulled down when using the
> > current NISGINA.
>
> Couldn't you specify an manual remote update from a share on a samba
> server which was configured using encrypted passwords?
>
To do what? Load the policies? Sorry, I don't think I'm following you here.
> > What is wrong with my thinking that I can just rip the code out of
> > NISGINA that creates a local account so that I am actually logging in
> > under a domain account in the samba domain? There must be more to it
> > than this.
>
> There are two ways I could understand what you are saying. One is that
> the domain account already exists. In this case you would be
> authenticating twice. Don't see a need for that.
>
Yes, the domain account will already exist (in smbpasswd) because NISGINA put it
there after the initial NIS authentication. Yes, it is a kludge that will
probably end up authenticating twice: once to NIS and once to the samba PDC (on
the same machine).
> If you are validating against the PDC why not just keep the default
> msgina.dll unless you have some secret way of synchronizing the
> passwords. ;)
>
The secret password sync is to have NISGINA always keep smbpasswd current.
NISGINA is also nice for being able to customize which buttons are active on the
ctrl-alt-delete screens (e.g. lock, Shut Down, Task Manager).
> The second way would be that the domain account does not exist and you
> want NISgina to create it rather than a local account. This will not
> work since only certain accounts are authorized to add accounts to a
> domain. It has been tried ( check the NISgina mailing list archives )
> by replacing the NULL parameter in NetUserAdd() with the name of the
> PDC.
>
Basically, that is what keeping smbpasswd current will do (i.e. create a domain
account -- at least as much info as samba needs). Right?
> > Will I have to add code to NISGINA so that it understands it is using a
> > domain account rather than a local one?
>
> Gernot Bauer has added support to allow NISgina to login to a PDC or a
> NIS master.
>
> http://www.eikon.e-technik.tu-muenchen.de/nisgina/
>
> You may already know about this
>
Yes, I knew about this, but I had forgotten it. We have been using Gernot's
version with a few changes. Thanks for reminding me... The code should already
be there for the samba PDC login. I just have to get it to do both types (NIS
first, then PDC) without creating a local account... right?
Jeremy
More information about the samba-ntdom
mailing list