PASSDB: local and domain accounts
Mayers, Philip J
p.mayers at ic.ac.uk
Wed Nov 15 10:55:17 GMT 2000
Why not:
ssh -l "DOMAIN\user"
ssh -l "localuser"
So, we have the following:
1) Samba/Unix machine as a standalone server
a) We can have the accounts in /etc/passwd, passwd.so for Samba's usage
This only works with plaintexts password. NOONE is going to use this, if
only because they have to apply a registry patch.
b) We can have local accounts in /etc/passwd, "NTLM" accounts
in TDB/LDAP/smbpasswd, using nss/pam_winbind to make them available
as system accounts WITHOUT a "DOMAIN\" prefix as well. So, this would
work:
/etc/passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
LDAP entries:
dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: pjm3
cn: pjm3
uidNumber: 26406
gidNumber: 6572
rid: 43562
homeDirectory: /home/cscmgb/cs/uss/pjm3
gecos: Mayers, Mr Philip
description: Mayers, Mr Philip
loginShell: /bin/bash
lmpassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ntpassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And use pam/nss_winbind, giving:
getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
pjm3:x:26406:6572:Mayers, Mr Philip:/home/cscmgb/cs/uss/pjm3:/bin/bash
So, it combines them. "NTLM" accounts can use encrypted passwords, local
/etc/passwd accounts can't, because there isn't a hash stored for them. This
would mean you couldn't access local accounts, pretty much.
2) Samba server as a domain member
Local accounts accesible without a prefix, domain accounts accessible with a
prefix, eg:
getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
pjm3:x:26406:6572:Mayers, Mr Philip:/home/cscmgb/cs/uss/pjm3:/bin/bash
IC\user:x:543663:3263:User, Mr A:/home/cscmgs/cs/uss/user:/bin/bash
NOTE: You need to be flexible in how winbind reformats the user. It would be
nice if the above could come out as:
pjm3:x:26406:6572:Mayers, Mr Philip:/home/cscmgb/cs/uss/pjm3:/bin/bash
user at IC.AC.UK:x:543663:3263:User, Mr A:/home/cscmgs/cs/uss/user:/bin/bash
Then various things (like kerberos cross-realm logins, etc) would work.
3) Samba as a PDC is the easy one. Local /etc/passwd accounts don't show up
at all in SMB. Domains account show up with a prefix.
Regards,
Phil
+----------------------------------+
| Phil Mayers, Network Support |
| Centre for Computing Services |
| Imperial College |
+----------------------------------+
-----Original Message-----
From: Gerald Carter [mailto:gcarter at valinux.com]
Sent: 14 November 2000 18:07
To: samba-technical at samba.org
Subject: PASSDB: local and domain accounts
<snip
There is one minor problem. Really it has not so much
to with Samba as it does with winbindd and pam_winbind.
Consider the case where you would like to configure sshd
for authenticating against remote domain accounts.
This is only case when operating as a domain member
(not as a PDC).
In this case, winbindd will only check against domain
accounts. However, I can envision cases where you would
want to validate against local Samba accounts as well.
There is currently no way to access these.
No you may be thinking to yourself, "but local
Samba accounts already exist in /etc/passwd. You can
use those." However, consider the unification of
passwords. What if the Samba lanman/nt password is
different than /etc/passwd? Also consider the case
of uid allocation upon demand for creating new local
accounts in samba. These would never exist in
/etc/passwd. Only as a uid in a Samba TDB.
This problem can be solved in one of two ways:
1) make winbind check local accounts on the
samba server (via MS-RPC) as well as domain
accounts on the PDC
or,
2) develop as pam_passdb.so and nss_passdb.so
module.
I like #2 better as it maintains the distinction
of passdb handling local accounts and winnbindd
handling remote accounts.
What is required to make all this work is an account
management tool. The following functions implemented
by the passdb API are used to actually update persistent
storage
BOOL pdb_update_sam_account(SAM_ACCOUNT*);
BOOL pdb_add_sam_account (SAM_ACCOUNT*);
BOOL pdb_delete_sam_account (char* username);
If you want to add update capabilities to the passdb
(/etc/passwd for example), then you write these routines.
Currently the pdb_add_sam_account() call for smbpasswd
requires that the UNIX account already exist. The 'add
user script' is called before pdb_add_sam_account() is. This
should be moved below the API. smbd should not have to
worry about this. By moving the 'add user script' to
a lower layer, things like "smbpasswd -a <user>" will work
even if the UNIX account did not exist beforehand.
Make sense? We can support user manager as tool. If so,
the I really think that we should follow the rpcclient /
samedit path as well.
-- Cheers, jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com VA Linux Systems gcarter at valinux.com
http://www.samba.org SAMBA Team jerry at samba.org
http://www.eng.auburn.edu/~cartegw
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list