Samba & Unix users sync
elrond at samba.org
Thu Jul 20 18:12:22 GMT 2000
On Wed, Jul 19, 2000 at 06:09:59PM -0500, Steve Langasek wrote:
> On Wed, 19 Jul 2000, Christopher R. Hertel wrote:
> > > nsswitch is never sufficient for this. nsswitch allows you to specify the
> > > source for various system config files, including your password file, but the
> > > data returned by getpwnam() is still expected to be valid Unix data -- which
> > > means that a password field retrieved from an NT server via winbind will still
> > > be treated as a crypt()ed password. For support of different *authentication*
> > > methods (as opposed to crypt(passwd, salt)), you'll still need PAM.
> > No, that's not what I saw. Take a look at Winbind. Again, I'm working in
> > other areas so I'm only aware of these things. I don't have my teeth in
> > them. What I saw leveraged nsswitch to allow a logon to a Linux box using
> > only NTDomain credentials. ...at least, that's how I understood it.
> I assure you, this is not the case. :) winbind is an important component for
> letting NT accounts log in to Unix systems, but it's not sufficient. If the
> system uses a non-pamified login binary, then password checking is still done
> with crypt(), and crypt() will never understand NTLM hashes. It's more likely
> that the Linux box you saw was using winbind/nsswitch together with Luke's
> pam_ntdom module.
I'm also not involved in this stuff directly, but know a
winbindd is actually three parts:
- a daemon, that caches stuff, does things, that only root
can/should do, and so on.
- an nsswitch-module, that allows the integration of the
users/groups/aliases from an NT-Domain in the unixworld.
It talks to the daemon.
- a pam-module, that allows authentication against the
It also talks to the daemon.
I don't know, how far all this stuff is.
Tim Potter is the main developer of this stuff.
More information about the samba-technical