Samba & Unix users sync

Steve Langasek vorlon at
Wed Jul 19 23:09:59 GMT 2000

On Wed, 19 Jul 2000, Christopher R. Hertel wrote:

> > nsswitch is never sufficient for this.  nsswitch allows you to specify the
> > source for various system config files, including your password file, but the
> > data returned by getpwnam() is still expected to be valid Unix data -- which
> > means that a password field retrieved from an NT server via winbind will still
> > be treated as a crypt()ed password.  For support of different *authentication*
> > methods (as opposed to crypt(passwd, salt)), you'll still need PAM.

> No, that's not what I saw.  Take a look at Winbind.  Again, I'm working in
> other areas so I'm only aware of these things.  I don't have my teeth in
> them.  What I saw leveraged nsswitch to allow a logon to a Linux box using
> only NTDomain credentials. least, that's how I understood it. 

I assure you, this is not the case. :)  winbind is an important component for
letting NT accounts log in to Unix systems, but it's not sufficient.  If the
system uses a non-pamified login binary, then password checking is still done
with crypt(), and crypt() will never understand NTLM hashes.  It's more likely
that the Linux box you saw was using winbind/nsswitch together with Luke's
pam_ntdom module.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list