Samba & Unix users sync
Steve Langasek
vorlon at netexpress.net
Wed Jul 19 23:09:59 GMT 2000
On Wed, 19 Jul 2000, Christopher R. Hertel wrote:
> > nsswitch is never sufficient for this. nsswitch allows you to specify the
> > source for various system config files, including your password file, but the
> > data returned by getpwnam() is still expected to be valid Unix data -- which
> > means that a password field retrieved from an NT server via winbind will still
> > be treated as a crypt()ed password. For support of different *authentication*
> > methods (as opposed to crypt(passwd, salt)), you'll still need PAM.
> No, that's not what I saw. Take a look at Winbind. Again, I'm working in
> other areas so I'm only aware of these things. I don't have my teeth in
> them. What I saw leveraged nsswitch to allow a logon to a Linux box using
> only NTDomain credentials. ...at least, that's how I understood it.
I assure you, this is not the case. :) winbind is an important component for
letting NT accounts log in to Unix systems, but it's not sufficient. If the
system uses a non-pamified login binary, then password checking is still done
with crypt(), and crypt() will never understand NTLM hashes. It's more likely
that the Linux box you saw was using winbind/nsswitch together with Luke's
pam_ntdom module.
Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list