[NTDOM] NISGINA revisited

jeremy garber jgarber at eng.utoledo.edu
Wed Mar 4 19:03:57 GMT 1998 

Sorry, I was afraid that I wasn't clear enough in my original post and it 
appears I was correct.  I'll try to help here:

Gerald W. Carter wrote:
> 
> jeremy garber wrote:
> > 
> > I currently have the NTDOM code functional on a test basis.
> > I also have NISGINA configured to automatically create and update the
> > smbpasswd entries on a test basis when logging into a samba domain.  Of
> > course the NT policies (something we must have functional) that are
> > stored on the samba server are not being pulled down when using the
> > current NISGINA.
> 
> Couldn't you specify an manual remote update from a share on a samba
> server which was configured using encrypted passwords?
> 

To do what?  Load the policies?  Sorry, I don't think I'm following you here.

> > What is wrong with my thinking that I can just rip the code out of
> > NISGINA that creates a local account so that I am actually logging in
> > under a domain account in the samba domain?  There must be more to it
> > than this.
> 
> There are two ways I could understand what you are saying.  One is that
> the domain account already exists.  In this case you would be
> authenticating twice.  Don't see a need for that.
> 

Yes, the domain account will already exist (in smbpasswd) because NISGINA put it 
there after the initial NIS authentication.  Yes, it is a kludge that will 
probably end up authenticating twice: once to NIS and once to the samba PDC (on 
the same machine).

> If you are validating against the PDC why not just keep the default
> msgina.dll unless you have some secret way of synchronizing the 
> passwords. ;)
> 

The secret password sync is to have NISGINA always keep smbpasswd current.
NISGINA is also nice for being able to customize which buttons are active on the 
ctrl-alt-delete screens (e.g. lock, Shut Down, Task Manager).

> The second way would be that the domain account does not exist and you
> want NISgina to create it rather than a local account.  This will not
> work since only certain accounts are authorized to add accounts to a
> domain.  It has been tried ( check the NISgina mailing list archives )
> by replacing the NULL parameter in NetUserAdd() with the name of the
> PDC.
> 

Basically, that is what keeping smbpasswd current will do (i.e. create a domain 
account -- at least as much info as samba needs).  Right?

> > Will I have to add code to NISGINA so that it understands it is using a
> > domain account rather than a local one?
> 
> Gernot Bauer has added support to allow NISgina to login to a PDC or a
> NIS master.  
> 
> 	http://www.eikon.e-technik.tu-muenchen.de/nisgina/
> 
> You may already know about this 
> 

Yes, I knew about this, but I had forgotten it.  We have been using Gernot's 
version with a few changes.  Thanks for reminding me... The code should already 
be there for the samba PDC login.  I just have to get it to do both types (NIS 
first, then PDC) without creating a local account... right?


Jeremy

More information about the samba-ntdom mailing list