NT Authentication

[Ben Meyer]

On Thu, Jul 13, 2000 at 03:33:10AM +1000, Paul J Collins wrote:
>> >>>>> "Ben" == Ben Meyer <Ben_Meyer at pfm.org> writes:
>> 
>>     Ben> Is there a way to authenticate to an NT PDC/BDC for a user
>>     Ben> that does not have an account on the local linux/samba
>>     Ben> system? The user does not need to have any access rights to
>>     Ben> anything on the system, and the authentication is being used
>>     Ben> only to make sure they are a valid user on the network.>>
>Could you explain a little, for what you need that?

Basically, I am writing a website  people to do certain things. For these
things to be done, I need to know who the person is b/c it deals with
various information about the person. Everyone who is going to be using the
website is already a part of the domain and has a username and password on
the NT systems (the PDC & BDC). The system that my website resides on is a
Linux system running Apache w/Php and has Samba installed so that things can
be shared with people working in Windows.  Since the people already have an
account with NT, I figure why create a second account system and have to
deal with passwords which they can forget when I can simply use some of the
software provided to access the NT authentication systems and use their
current account. The only thing I am using the NT Authentication for is to
make sure their username and password are correct. I just need to be able to
pass a user and password to NT and see if they are valid.

Thus far, I have come across PAM_SMB, PAM_NTLM (Both of which can be
combined with PHP_PAM for my use),Authen-Smb, PAM_SMBPASS, MOD_NTLM, and a
few others. But have had troubles to some degree with various ones.
Obviously I would prefer something that can be accessed from Php run and Run
through Samba to authenticate to the PDC.  I have also found documentation
saying that in order for a user to be authenticated by NT through Samba they
must have a Samba Account (smbpasswords or whatever it is called) on the
Samba server as well as their NT account. I would like to forgo having to
create the accounts on the Linux system and have to manage those accounts
and their passwords and just authenticate to the NT system. The users are
not using anything but the web interface and therefore do not need home
directories, file permissions, or any other kind of access onto the system,
just access to the website which will be using the NT PDC for
authentication.

>
>> *ALL* of the Samba infrastructure requires that domain users have a
>> Unix account on the server.
>There's one function currently, that doesn't need that, at
>least, as far, as I've looked at it:
>_net_sam_logon
>This might mean, that samba can forward a logon-request to
>a trusted domain, maybe meaning, you could even login at an
>ntwks, that is a member of the samba-domain with a user
>from the trusted domain without a unix-user for that... of
>course, you will get a bunch of errors, becuse the nt
>machine wants to read ntconfig.pol and the like. ;)>

The logon-request forwarding is really all I need as long as returned
true/false to the calling application. It's not the Linux OS making the call
here.

Thanks,
Ben M.