PASSDB: local and domain accounts

Gerald Carter gcarter at valinux.com
Wed Nov 15 16:30:11 GMT 2000 

Phil,

Kind of a long note.  I think I responded to all your points.
If not, let me know.



Cheers, --jerry



"Mayers, Philip J" wrote:
> 
> Why not:
> 
> ssh -l "DOMAIN\user"
> ssh -l "localuser"
> 
> So, we have the following:
> 
> 1) Samba/Unix machine as a standalone server
> 
> a) We can have the accounts in /etc/passwd, passwd.so 
> for Samba's usage    This only works with 
> plaintexts password. NOONE is going to use this, if
> only because they have to apply a registry patch.

I would disagree on this.  I think people will continue
to use plain text authentication for a long time.

> b) We can have local accounts in /etc/passwd, "NTLM" 
> accounts in TDB/LDAP/smbpasswd, using nss/pam_winbind 
> to make them available as system accounts WITHOUT 
> a "DOMAIN\" prefix as well. So, this would work:

I thought about this some more while I was out 
for a run this morning (weather was really nice, 32 degrees
and clear :) )

I really feel that winbind should only be responsible
remote accounts.  A second pam and nss module should 
be responsible for a local SAM account.

Let me try to explain again.

  o ssh -l 'DOMAIN\user1'

This works fine with winbind now.  No biggie.

  o ssh -l localuser

This assumes that the user exists as an entry in /etc/passwd.
All we need is a uid.  winbind allocates these upon demand
for mapping to domain accounts.  

FOr example, configure winbindd and then change the 
ownership of a file to a domain account.  Then stop winbindd
and do a 'ls -l ' on that file.  You will only see a uid.
(see my other post to Simo about this).  

Now how can you execute 'ssh -l localuser' is there is 
no username in /etc/passwd asssociated with that uid?
You would have to execute 'ss -l 'SAMBAHOST\localuser'.
Why would this work and the former would not?  Because
there is a mapping in the local SAM between the username 
and a RID and thus a uid as well.

Follow me on this?  We are working towards a Samba 
appliance for all possibilities.

> /etc/passwd:
> 
....
> 
> LDAP entries:
> 
> dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
...
> 
> And use pam/nss_winbind, giving:
> 
> getent passwd
> 
> root:x:0:0:root:/root:/bin/bash
...
> nobody:x:99:99:Nobody:/:
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
> 
> So, it combines them. "NTLM" accounts can use 
> encrypted passwords, local /etc/passwd accounts 
> can't, because there isn't a hash stored for them. 
> This would mean you couldn't access local 
> accounts, pretty much.

I think my above comments address this. If not let 
me know.  You are working on the assumption that 
there is a username entry that will be returned 
by getpwnam().  I'm talking about samba maintaining the
mapping of uid's to username internally in the same 
fashion as winbind does now.

> 2) Samba server as a domain member
> 
> Local accounts accesible without a prefix, domain 
> accounts accessible with a prefix, eg:

Again, I think I have addressed this.

> NOTE: You need to be flexible in how winbind reformats 
> the user. It would be nice if the above could come out 
> as:
> 
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
> user at IC.AC.UK:x:543663:3263:User, Mr A:/home/user:/bin/bash
> 
> Then various things (like kerberos cross-realm logins, 
> etc) would work.

Ummm...I'll have to think a little on this one....

Are the remote domain accounts coming from a Windows NT4
DC or a Win2k DC?  If the former, I don't get it.

If we are talking about getting domain accounts from 
a Win2k DC, then I do get it.  And yes, that would be good.
I think the best thing in this case would be to configure
winbindd to format the return entries based upon what mode
it is running in (e.g. Kerb5, NTLM)

> 3) Samba as a PDC is the easy one. Local /etc/passwd 
> accounts don't show up at all in SMB. Domains account show 
> up with a prefix.

Wait a minute Phil.  This seems to be back peddling a little.
Think about.  If Samba is the PDC, then each domain account
account will also have a uid on the local samba server.
I know you are saying, "Just point winbindd to the Samba server
as the remote PDC"  That's fine, but it does not address
the problem when a domain SAM and local SAM are present as is
the case with a domain member.

Does that make sense?






----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list