NT Authentication

Kevin Colby kevinc at grainsystems.com
Fri Jul 14 19:05:57 GMT 2000 

I cannot recall the specifics, but I thought that a simple auth
check could be done via rpcclient.  If so, it would be a simple
matter to have the CGI or ASP or whatever call that.

I think this was even mentioned here before.  Does anyone recall
the details of that?

	- Kevin Colby
	  kevinc at grainsystems.com



Ben Meyer wrote:
> 
> On Thu, Jul 13, 2000 at 03:33:10AM +1000, Paul J Collins wrote:
> >> >>>>> "Ben" == Ben Meyer <Ben_Meyer at pfm.org> writes:
> >>
> >>     Ben> Is there a way to authenticate to an NT PDC/BDC for a user
> >>     Ben> that does not have an account on the local linux/samba
> >>     Ben> system? The user does not need to have any access rights to
> >>     Ben> anything on the system, and the authentication is being used
> >>     Ben> only to make sure they are a valid user on the network.>>
> >Could you explain a little, for what you need that?
> 
> Basically, I am writing a website  people to do certain things. For these
> things to be done, I need to know who the person is b/c it deals with
> various information about the person. Everyone who is going to be using the
> website is already a part of the domain and has a username and password on
> the NT systems (the PDC & BDC). The system that my website resides on is a
> Linux system running Apache w/Php and has Samba installed so that things can
> be shared with people working in Windows.  Since the people already have an
> account with NT, I figure why create a second account system and have to
> deal with passwords which they can forget when I can simply use some of the
> software provided to access the NT authentication systems and use their
> current account. The only thing I am using the NT Authentication for is to
> make sure their username and password are correct. I just need to be able to
> pass a user and password to NT and see if they are valid.
> 
> Thus far, I have come across PAM_SMB, PAM_NTLM (Both of which can be
> combined with PHP_PAM for my use),Authen-Smb, PAM_SMBPASS, MOD_NTLM, and a
> few others. But have had troubles to some degree with various ones.
> Obviously I would prefer something that can be accessed from Php run and Run
> through Samba to authenticate to the PDC.  I have also found documentation
> saying that in order for a user to be authenticated by NT through Samba they
> must have a Samba Account (smbpasswords or whatever it is called) on the
> Samba server as well as their NT account. I would like to forgo having to
> create the accounts on the Linux system and have to manage those accounts
> and their passwords and just authenticate to the NT system. The users are
> not using anything but the web interface and therefore do not need home
> directories, file permissions, or any other kind of access onto the system,
> just access to the website which will be using the NT PDC for
> authentication.
> 
> >
> >> *ALL* of the Samba infrastructure requires that domain users have a
> >> Unix account on the server.
> >There's one function currently, that doesn't need that, at
> >least, as far, as I've looked at it:
> >_net_sam_logon
> >This might mean, that samba can forward a logon-request to
> >a trusted domain, maybe meaning, you could even login at an
> >ntwks, that is a member of the samba-domain with a user
> >from the trusted domain without a unix-user for that... of
> >course, you will get a bunch of errors, becuse the nt
> >machine wants to read ntconfig.pol and the like. ;)>
> 
> The logon-request forwarding is really all I need as long as returned
> true/false to the calling application. It's not the Linux OS making the call
> here.
> 
> Thanks,
> Ben M.

More information about the samba-ntdom mailing list