Samba PDC + PAM + NIS
Luca Filipozzi
lfilipoz at ise.bc.ca
Wed Oct 20 22:34:17 GMT 1999
Hello,
I'm new to the list but have read a lot of the messages in the archives and
the Samba NT FAQ. I do not have a complete understanding and would
appreciate a few questions answered. Primarily, I have not see messages
talking about Samba with PAM using NIS (not NIS+).
Problem:
--------
Getting Samba to act as a PDC to 95/98/NT boxes and authenticate users
against a departmental NIS server.
Discussion:
-----------
NIS client working correctly.
Samba 2.0.5a compiled with PAM support.
Configured without "encrypt password". Created a machine account in
/etc/passwd and added machine account via smbpasswd -a -m <machine>.
Machine is Win95 and is able to connect to SAMBA domain and is able to
authenticate a user whose passwd entry is only available via NIS. This is
good, suggesting:
samba(PAM+NIS+encrypt=no) + 95(encrypt=???;user login) works
In order to add NT machine to domain, again create machine account. With
"encrypt password = no", NT box cannot join domain. This suggests:
samba(PAM+NIS+encrypt=no) + NT(encrypt=yes;join domain) does not work
With "encrypt password = yes", NT box DOES join domain. However, account
that worked with Win95 does not work with WinNT. This suggest
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;join domain) works
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;user login) does not works
Test "encrypt password = yes" with Win95... does not work.
Summary:
--------
samba(PAM+NIS+encrypt=no) + 95(encrypt=???;user login) works
reason?: unencrypted password from 95 CAN be used with PAM+NIS
samba(PAM+NIS+encrypt=no) + NT(encrypt=yes;join domain) does not work
reason?: encrypted password from NT conflicts with samba setting
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;join domain) works
reason?: both sides encrypted and machine account in samba password file
samba(PAM+NIS+encrypt=yes) + NT(encrypt=yes;user login) does not works
reason?: user account not in samba password file so PAM+NIS doesn't work
Questions:
----------
1) reasons?
Are my reasons above correct? Or have I misunderstood how samba is
working?
2) encrypt passwords
I've read some mailing list archives at www.samba.org that suggest the in
order to get PDC functionality, encrypt passwords MUST be set to "yes".
However, the Win95 box was able to authenticate the user without
encrypted passwords.
Is "encrypt password" explicitly required (like for adding NT machines to
the domain), or can it be set to "no" and the appropriate registry
settings in 95/98/NT/2000 made to use plain text passwords (that will be
valid for adding NT machines to the domain)?
I am presuming that the answer here is: encrypt password is explicitly
required.
3) PAM (NIS)
If encrypt passwords is required for PDC functionality, then can samba
still authenticate users via PAM+NIS, or do I need to use smbpasswd to
move user accounts from the NIS passwd file to the smbpasswd file?
I am presuming that the answer here is: PAM+NIS can't be used with
encrypted passwords.
If nobody here at VanLUG can answer these questions, then I'll join the
samba mailing list and post the questions there.
In any event, thanks for any and all help.
Luca
--
Luca Filipozzi <lucanntp at ise.bc.ca.spamsucks>
--
Luca Filipozzi, MASc Student - mailto:lucaf at ece.ubc.ca
Robotics and Control Laboratory - http://www.ece.ubc.ca/rcl
Dept. of Electrical and Computer Engineering
University of British Columbia
More information about the samba-ntdom
mailing list