A question about Auth Backends

Doug Marcey dougm at cambridge.com
Tue Mar 27 23:25:00 GMT 2001

I have a question or two (six?) here. First let me describe my situation.

I work at a company that has been developing software for Irix for quite
some time. As a result our entire company infrastructure is built around
Unix machines. Right now we have linux for almost all of our network serving
needs. Our web, mail, firewall, file, cvs and everything are served off of
either linux, or openbsd. The only exception is a novell 3.20 server that
the administrative side of the company uses (and has been using for 6 or 7
years now).

Recently (last two years) we have been developing a cross platform version
of our software that uses a java gui and c++ backend to provide the same
look and feel across irix, solaris, linux, hp/ux, windows 9x/ME/NT/2000, and
vxworks. Windows has become a very popular platform for the software and as
such we have been purchasing more and more windows nt/2000 systems for

Currently I have a single NT 4.0 server on the network operating as a PDC.
It handles logons and auth requests from the windows nt/2000 systems and
authenticates the samba shares for the unix systems, that is all it does. It
does not provide any file serving (users profiles and home directories are
served off of Linux w/ samba 2.0.7), or anything else. I am trying to
convince The-Powers-That-Be (read: old novell admin) that we could ditch the
NT server completely on the development side and just use a samba PDC. Since
we have to have both NT 4.0 and 2000 pro a 2.2 version of samba would be
necessary. Even though I see many advantages to this in manageability the
major question I have to answer is: will this in some way allow us to get
rid of our "dual account" setup? Right now, the users have an NT account and
a separate Unix account with the same username but with different passwords
(could be the same but they are not synced).

I have seen a few suggestions for this but none of them are very
satisfactory for me. I don't want to use pam_smb or winbind as my
infrastructure is unix and I would hate to have to manage everything through
the windows end of things. Besides, IRIX (still our main development
platform) does not support PAM. I see LDAP as an ideal solution for this,
but that would mean I would completely have to redo my password system and
things would slow down since all the account information would be on the
network instead of the local machine. I am also not so crazy about the
single point of failure that an ldap server would introduce. The ideal
solution for me would be to have samba just use pam directly itself and
check against the local password file on whatever system it is on. I see
that there seem to be PAM hooks in samba (at least there are config options)
but I can't seem to find any info on them in any documentation.

Is this all in track with what people on this list have experienced? Is
there *any* way to do this besides using pam_smb or something like it? How
have others solved this problem? And finally, is the LDAP support in 2.2
close to being ready for prime time? The nicest solution would allow people
to change password both on unix and windows and have it propagate to the
other side. However, f I need to set up some kind of a password change
system, such as a password change web page, with a special script at the
backend, then I can.

	Any answers to the above questions would be greatly appreciated,

			Thank you for your time,


Doug Marcey
Systems Administrator
Cambridge Research Associates

More information about the samba-ntdom mailing list