Samba & Unix users sync

Elrond elrond at samba.org
Thu Jul 20 18:12:22 GMT 2000


On Wed, Jul 19, 2000 at 06:09:59PM -0500, Steve Langasek wrote:
> On Wed, 19 Jul 2000, Christopher R. Hertel wrote:
> 
> > > nsswitch is never sufficient for this.  nsswitch allows you to specify the
> > > source for various system config files, including your password file, but the
> > > data returned by getpwnam() is still expected to be valid Unix data -- which
> > > means that a password field retrieved from an NT server via winbind will still
> > > be treated as a crypt()ed password.  For support of different *authentication*
> > > methods (as opposed to crypt(passwd, salt)), you'll still need PAM.
> 
> > No, that's not what I saw.  Take a look at Winbind.  Again, I'm working in
> > other areas so I'm only aware of these things.  I don't have my teeth in
> > them.  What I saw leveraged nsswitch to allow a logon to a Linux box using
> > only NTDomain credentials.  ...at least, that's how I understood it. 
> 
> I assure you, this is not the case. :)  winbind is an important component for
> letting NT accounts log in to Unix systems, but it's not sufficient.  If the
> system uses a non-pamified login binary, then password checking is still done
> with crypt(), and crypt() will never understand NTLM hashes.  It's more likely
> that the Linux box you saw was using winbind/nsswitch together with Luke's
> pam_ntdom module.

I'm also not involved in this stuff directly, but know a
little more:

winbindd is actually three parts:

- a daemon, that caches stuff, does things, that only root
  can/should do, and so on.
- an nsswitch-module, that allows the integration of the
  users/groups/aliases from an NT-Domain in the unixworld.
  It talks to the daemon.
- a pam-module, that allows authentication against the
  NT-Domain.
  It also talks to the daemon.

I don't know, how far all this stuff is.

Tim Potter is the main developer of this stuff.


    Elrond




More information about the samba-technical mailing list