Feature Request: NIS support

Neil Hoggarth neil.hoggarth at physiol.ox.ac.uk
Fri Jul 14 08:47:51 GMT 2000 

On Fri, 14 Jul 2000, Peter Samuelson wrote:

> Well, theoretically you could.  Just implement smbpasswd via a NIS map.

You could (technically) do that, but you shouldn't (administratively)!

If you serve up smbpasswd via a NIS map then anyone with access to your
NIS service can get at the NT/Lanman hashes for any account ("ypcat
smbpasswd"). Those hashes are password equivalents; once you know the
hash for any given account you can authenticate yourself as that user to
any service using the challenge/response protocol.

To answer the original question; the way I handled integration of SMB
encrypted auth into and existing Unix/NIS environment was:

1) Ran Samba on the NIS master, in addition to anywhere else that I
   actually needed it.

2) Disable yppasswd/yppasswdd, etc and implemented my own password changing
   program on the NIS master. When a password change is accepted this
   program updates both the source file for the passwd map and the smbpasswd
   file and a NIS make is then kicked off. All password changes on the
   network must be done by logging into the NIS master and using this
   program.

   (Rather than rolling your own it may be possible to do some or all of
   this using smb.conf parameter "unix password sync" and related
   parameters (these didn't exist when I started, which is how I ended up
   with a home grown solution)).

3) On any other machine that needs Samba, used "security = server" and
   "password server = name-of-nis-master".

   (If one were to make the NIS master a full blown Samba PDC, one could
   presumably use "security = domain" for this).

This isn't necessarily the only or best way. If you can live without
encrypted authentication the easiest thing to so is just to turn it
off (which, as Gerald has said, will result in the Samba machines
authenticating directly against the passwords in the NIS passwd map
just like you wanted). However, encrypted passwords are a big win
(from the client point of view) if you can put up with supporting them
server side. :-)

Regards,
-- 
Neil Hoggarth                                 Departmental Computer Officer
<neil.hoggarth at physiol.ox.ac.uk>                   Laboratory of Physiology
http://www.physiol.ox.ac.uk/~njh/                  University of Oxford, UK

More information about the samba-technical mailing list