PASSDB: local and domain accounts
Gerald Carter
gcarter at valinux.com
Wed Nov 15 16:30:11 GMT 2000
Phil,
Kind of a long note. I think I responded to all your points.
If not, let me know.
Cheers, --jerry
"Mayers, Philip J" wrote:
>
> Why not:
>
> ssh -l "DOMAIN\user"
> ssh -l "localuser"
>
> So, we have the following:
>
> 1) Samba/Unix machine as a standalone server
>
> a) We can have the accounts in /etc/passwd, passwd.so
> for Samba's usage This only works with
> plaintexts password. NOONE is going to use this, if
> only because they have to apply a registry patch.
I would disagree on this. I think people will continue
to use plain text authentication for a long time.
> b) We can have local accounts in /etc/passwd, "NTLM"
> accounts in TDB/LDAP/smbpasswd, using nss/pam_winbind
> to make them available as system accounts WITHOUT
> a "DOMAIN\" prefix as well. So, this would work:
I thought about this some more while I was out
for a run this morning (weather was really nice, 32 degrees
and clear :) )
I really feel that winbind should only be responsible
remote accounts. A second pam and nss module should
be responsible for a local SAM account.
Let me try to explain again.
o ssh -l 'DOMAIN\user1'
This works fine with winbind now. No biggie.
o ssh -l localuser
This assumes that the user exists as an entry in /etc/passwd.
All we need is a uid. winbind allocates these upon demand
for mapping to domain accounts.
FOr example, configure winbindd and then change the
ownership of a file to a domain account. Then stop winbindd
and do a 'ls -l ' on that file. You will only see a uid.
(see my other post to Simo about this).
Now how can you execute 'ssh -l localuser' is there is
no username in /etc/passwd asssociated with that uid?
You would have to execute 'ss -l 'SAMBAHOST\localuser'.
Why would this work and the former would not? Because
there is a mapping in the local SAM between the username
and a RID and thus a uid as well.
Follow me on this? We are working towards a Samba
appliance for all possibilities.
> /etc/passwd:
>
....
>
> LDAP entries:
>
> dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
...
>
> And use pam/nss_winbind, giving:
>
> getent passwd
>
> root:x:0:0:root:/root:/bin/bash
...
> nobody:x:99:99:Nobody:/:
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
>
> So, it combines them. "NTLM" accounts can use
> encrypted passwords, local /etc/passwd accounts
> can't, because there isn't a hash stored for them.
> This would mean you couldn't access local
> accounts, pretty much.
I think my above comments address this. If not let
me know. You are working on the assumption that
there is a username entry that will be returned
by getpwnam(). I'm talking about samba maintaining the
mapping of uid's to username internally in the same
fashion as winbind does now.
> 2) Samba server as a domain member
>
> Local accounts accesible without a prefix, domain
> accounts accessible with a prefix, eg:
Again, I think I have addressed this.
> NOTE: You need to be flexible in how winbind reformats
> the user. It would be nice if the above could come out
> as:
>
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
> user at IC.AC.UK:x:543663:3263:User, Mr A:/home/user:/bin/bash
>
> Then various things (like kerberos cross-realm logins,
> etc) would work.
Ummm...I'll have to think a little on this one....
Are the remote domain accounts coming from a Windows NT4
DC or a Win2k DC? If the former, I don't get it.
If we are talking about getting domain accounts from
a Win2k DC, then I do get it. And yes, that would be good.
I think the best thing in this case would be to configure
winbindd to format the return entries based upon what mode
it is running in (e.g. Kerb5, NTLM)
> 3) Samba as a PDC is the easy one. Local /etc/passwd
> accounts don't show up at all in SMB. Domains account show
> up with a prefix.
Wait a minute Phil. This seems to be back peddling a little.
Think about. If Samba is the PDC, then each domain account
account will also have a uid on the local samba server.
I know you are saying, "Just point winbindd to the Samba server
as the remote PDC" That's fine, but it does not address
the problem when a domain SAM and local SAM are present as is
the case with a domain member.
Does that make sense?
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
http://www.samba.org/ SAMBA Team jerry at samba.org
http://www.plainjoe.org/ jerry at plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list