PAM support in 2.0.x and TNG

[Mayers, Philip J]

You're confusing PAM and NSS I think. Samba will only use PAM if "encrypted
passwords = no". Since you're talking about machine accounts, and hence
domain controllers, "encrypted passwords = yes" is required. Hence, samba
doesn't ever receive the clear text password, and PAM is useless to Samba.

The NSS on the other hand (which is responsible for name ->
uid/gid/homedir/shell mappings) on Solaris and Linux at least, is used just
like in any other program. When a connection is made, samba does a
getpwname(login_name_after_NT_to_UNIX_mapping) to get the uid/gid/secondary
groups to switch down to from root.

I'm not really following what you want to do, but suffice to say that
provided you have PAM_ldap and NSS_ldap set up correctly, you can put
accounts wherever you like. The (old) LDAP support in Samba is a little more
picky though, especially if you create the accounts using "smbpasswd -a", or
the samedit equivalent.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+ 

-----Original Message-----
From: Matthew Geddes [mailto:mgeddes at xavier.sa.edu.au]
Sent: 07 August 2000 01:16
To: Multiple recipients of list SAMBA-NTDOM
Subject: PAM support in 2.0.x and TNG


Hi,

Can anyone confirm to what extent PAM is supported in Samba? I know that
it checks PAM for the Unix account for users, but does it do this for
machine accounts?

I'm running RedHat Linux and PAM_LDAP quite nicely and want to be able
to store machine accounts in their own little part of the directory ;-).

Thanks,
Matt
-- 

Matthew Geddes
Network Manager
Xavier College
Gawler, SA