PASSDB: local and domain accounts

Mayers, Philip J p.mayers at ic.ac.uk
Thu Nov 16 10:48:51 GMT 2000


Yes, you've addressed the majority of my points (long thread... :o)

To be honest, your suggestion sounds perfectly sensible. Winbind should
indeed be responsible for remote accounts.

Let me check I know where we're at:

o) Winbind, pam_winbind and nss_winbind are *ALWAYS* responsible for
non-local NT domain accounts, and they will always appear with the names
DOMAIN\username (or whatever, depending on the formatting mode you specify).

o) So, domain members run winbind for remote accounts. Winbind provides a
uid/gid<->rid mapping function as well as name<->uid/gid/rid mappings for
the remote accounts.

For *local* accounts of domain members, domain accounts on PDCs and BDCs,
and all accounts on a non-domain member, you're advocating a second pam/nss
module that hooks into samba's pdb (as you call it). The nss module would
have to avoid UID number clashes with winbind (trivial). Samba itself
(internally) would provide the same things that Winbind provides for remote
accounts, namely uid/gid<->rid and name<->uid/gid/rid mappings, which the
nss module would call. Additionally, the pam module would authenticate those
users against the *local* PDB.

So you'd have this:

/etc/pam.d/login:

auth sufficient /lib/security/pam_local_smb_pdb.so
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth sufficient /lib/security/pam_unix.so use_first_pass

/etc/nsswitch.conf:

passwd: local_smb_pdb winbind files 
group: local_smb_pdb winbind files 


Am I understanding you correctly? So, the only things that appear in
/etc/passwd on such a machine would be root,bin,mail and so on. "User"
accounts would be stored in Samba's pdb, and exposed to the rest of the
system using the nss and pam modules?

Sounds good.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: Gerald Carter [mailto:gcarter at valinux.com]
Sent: 15 November 2000 16:30
To: Mayers, Philip J
Cc: 'samba-technical at samba.org'
Subject: Re: PASSDB: local and domain accounts


Phil,

Kind of a long note.  I think I responded to all your points.
If not, let me know.



Cheers, --jerry



"Mayers, Philip J" wrote:
> 
> Why not:
> 
> ssh -l "DOMAIN\user"
> ssh -l "localuser"
> 
> So, we have the following:
> 
> 1) Samba/Unix machine as a standalone server
> 
> a) We can have the accounts in /etc/passwd, passwd.so 
> for Samba's usage    This only works with 
> plaintexts password. NOONE is going to use this, if
> only because they have to apply a registry patch.

I would disagree on this.  I think people will continue
to use plain text authentication for a long time.

> b) We can have local accounts in /etc/passwd, "NTLM" 
> accounts in TDB/LDAP/smbpasswd, using nss/pam_winbind 
> to make them available as system accounts WITHOUT 
> a "DOMAIN\" prefix as well. So, this would work:

I thought about this some more while I was out 
for a run this morning (weather was really nice, 32 degrees
and clear :) )

I really feel that winbind should only be responsible
remote accounts.  A second pam and nss module should 
be responsible for a local SAM account.

Let me try to explain again.

  o ssh -l 'DOMAIN\user1'

This works fine with winbind now.  No biggie.

  o ssh -l localuser

This assumes that the user exists as an entry in /etc/passwd.
All we need is a uid.  winbind allocates these upon demand
for mapping to domain accounts.  

FOr example, configure winbindd and then change the 
ownership of a file to a domain account.  Then stop winbindd
and do a 'ls -l ' on that file.  You will only see a uid.
(see my other post to Simo about this).  

Now how can you execute 'ssh -l localuser' is there is 
no username in /etc/passwd asssociated with that uid?
You would have to execute 'ss -l 'SAMBAHOST\localuser'.
Why would this work and the former would not?  Because
there is a mapping in the local SAM between the username 
and a RID and thus a uid as well.

Follow me on this?  We are working towards a Samba 
appliance for all possibilities.

> /etc/passwd:
> 
....
> 
> LDAP entries:
> 
> dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
...
> 
> And use pam/nss_winbind, giving:
> 
> getent passwd
> 
> root:x:0:0:root:/root:/bin/bash
...
> nobody:x:99:99:Nobody:/:
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
> 
> So, it combines them. "NTLM" accounts can use 
> encrypted passwords, local /etc/passwd accounts 
> can't, because there isn't a hash stored for them. 
> This would mean you couldn't access local 
> accounts, pretty much.

I think my above comments address this. If not let 
me know.  You are working on the assumption that 
there is a username entry that will be returned 
by getpwnam().  I'm talking about samba maintaining the
mapping of uid's to username internally in the same 
fashion as winbind does now.

> 2) Samba server as a domain member
> 
> Local accounts accesible without a prefix, domain 
> accounts accessible with a prefix, eg:

Again, I think I have addressed this.

> NOTE: You need to be flexible in how winbind reformats 
> the user. It would be nice if the above could come out 
> as:
> 
> pjm3:x:26406:6572:Mayers, Mr Philip:/home/pjm3:/bin/bash
> user at IC.AC.UK:x:543663:3263:User, Mr A:/home/user:/bin/bash
> 
> Then various things (like kerberos cross-realm logins, 
> etc) would work.

Ummm...I'll have to think a little on this one....

Are the remote domain accounts coming from a Windows NT4
DC or a Win2k DC?  If the former, I don't get it.

If we are talking about getting domain accounts from 
a Win2k DC, then I do get it.  And yes, that would be good.
I think the best thing in this case would be to configure
winbindd to format the return entries based upon what mode
it is running in (e.g. Kerb5, NTLM)

> 3) Samba as a PDC is the easy one. Local /etc/passwd 
> accounts don't show up at all in SMB. Domains account show 
> up with a prefix.

Wait a minute Phil.  This seems to be back peddling a little.
Think about.  If Samba is the PDC, then each domain account
account will also have a uid on the local samba server.
I know you are saying, "Just point winbindd to the Samba server
as the remote PDC"  That's fine, but it does not address
the problem when a domain SAM and local SAM are present as is
the case with a domain member.

Does that make sense?






----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )




More information about the samba-technical mailing list