Samba PDC + PAM + NIS

[Luca Filipozzi]

Hello,

I'm new to the list but have read a lot of the messages in the archives and
the Samba NT FAQ. I do not have a complete understanding and would
appreciate a few questions answered. Primarily, I have not see messages
talking about Samba with PAM using NIS (not NIS+).

Problem:
--------
Getting Samba to act as a PDC to 95/98/NT boxes and authenticate users 
against a departmental NIS server.

Discussion:
-----------
NIS client working correctly.
Samba 2.0.5a compiled with PAM support.

Configured without "encrypt password". Created a machine account in 
/etc/passwd and added machine account via smbpasswd -a -m <machine>.

Machine is Win95 and is able to connect to SAMBA domain and is able to 
authenticate a user whose passwd entry is only available via NIS. This is 
good, suggesting:
samba(PAM+NIS+encrypt=no)  + 95(encrypt=???;user login)  works

In order to add NT machine to domain, again create machine account. With 
"encrypt password = no", NT box cannot join domain. This suggests:
samba(PAM+NIS+encrypt=no)  + NT(encrypt=yes;join domain) does not work

With "encrypt password = yes", NT box DOES join domain. However, account 
that worked with Win95 does not work with WinNT. This suggest
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;join domain) works
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;user login)  does not works


Test "encrypt password = yes" with Win95... does not work.

Summary:
--------
samba(PAM+NIS+encrypt=no)  + 95(encrypt=???;user login)  works
reason?: unencrypted password from 95 CAN be used with PAM+NIS

samba(PAM+NIS+encrypt=no)  + NT(encrypt=yes;join domain) does not work
reason?: encrypted password from NT conflicts with samba setting

samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;join domain) works
reason?: both sides encrypted and machine account in samba password file

samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;user login)  does not works
reason?: user account not in samba password file so PAM+NIS doesn't work


Questions:
----------
1) reasons?
Are my reasons above correct? Or have I misunderstood how samba is 
working?

2) encrypt passwords
I've read some mailing list archives at www.samba.org that suggest the in 
order to get PDC functionality, encrypt passwords MUST be set to "yes". 
However, the Win95 box was able to authenticate the user without 
encrypted passwords. 

Is "encrypt password" explicitly required (like for adding NT machines to 
the domain), or can it be set to "no" and the appropriate registry 
settings in 95/98/NT/2000 made to use plain text passwords (that will be 
valid for adding NT machines to the domain)?
I am presuming that the answer here is: encrypt password is explicitly 
required.

3) PAM (NIS)
If encrypt passwords is required for PDC functionality, then can samba 
still authenticate users via PAM+NIS, or do I need to use smbpasswd to 
move user accounts from the NIS passwd file to the smbpasswd file?
I am presuming that the answer here is: PAM+NIS can't be used with 
encrypted passwords.

If nobody here at VanLUG can answer these questions, then I'll join the 
samba mailing list and post the questions there.

In any event, thanks for any and all help.

Luca
-- 
Luca Filipozzi <lucanntp at ise.bc.ca.spamsucks>

--
Luca Filipozzi, MASc Student                 - mailto:lucaf at ece.ubc.ca
Robotics and Control Laboratory              - http://www.ece.ubc.ca/rcl
Dept. of Electrical and Computer Engineering 
University of British Columbia