Using Samba as a proxy authentication service?

[Mike Brodbelt]

I'd like to able able to use Samba (or samba services, at any rate) to
allow me to authenticate users against NT Domain accounts from external
programs. I know that PAM modules and suchlike exist for general logon
authentication, but my situation is slightly different, and I'm not sure
of the best way to take advantage of the existing support.

Users here retrieve mail from a server running sendmail. I use vacation
to deal with "out of office" messages and similar things. Currently,
this has to be done for them by an admin, as the users have no direct
shell access, and wouldn't know what to do with a shell if it bit them.
What I'd like to be able to do is provide a GUI interface through which
they can handle this for themselves.

To achieve this securely, I need to be able to authenticate each user.
I'd like to be able to use the Samba mechanisms to do this - all the
users have accounts on an NT domain controller, and the server from
which they would retrieve their mail is running Samba. Is there an API,
accessible (preferably from perl), through which I can authenticate a
users against their NT domain account within my CGI script?

I have the idea that it may be possible to achieve this sort of thing
with winbindd, and that I should simply be able to call getpnam() from
perl, but my ideas become hazy here. I can't see how winbindd would
allow me to authenticate for just thes service. The users in question
will all have a Unix account (though some will be mapped via "username
map"), but I don't want to use NT auth in a global manner (they have no
need to able to log onto a shell account) - just for this particular
service. I really want to be able to pass a username/password to NT, and
have an OK/Not OK response come back.

Thanks,
 
Mike.