PASSDB: local and domain accounts
Gerald Carter
gcarter at valinux.com
Thu Nov 16 14:42:35 GMT 2000
"Mayers, Philip J" wrote:
>
> Let me check I know where we're at:
>
> o) Winbind, pam_winbind and nss_winbind are *ALWAYS*
> responsible for non-local NT domain accounts, and they
> will always appear with the names DOMAIN\username (or
> whatever, depending on the formatting mode you specify).
Yup.
> o) So, domain members run winbind for remote
> accounts. Winbind provides a uid/gid<->rid mapping function
> as well as name<->uid/gid/rid mappings for the remote
> accounts.
Yup.
> For *local* accounts of domain members, domain accounts
> on PDCs and BDCs, and all accounts on a non-domain
> member, you're advocating a second pam/nss module that
> hooks into samba's pdb (as you call it). The nss module
> would have to avoid UID number clashes with winbind
> (trivial). Samba itself (internally) would provide the
> same things that Winbind provides for remote accounts,
> namely uid/gid<->rid and name<->uid/gid/rid mappings,
> which the nss module would call. Additionally, the
> pam module would authenticate those users against the
> *local* PDB.
Basically yes.
> So you'd have this:
>
> /etc/pam.d/login:
>
> auth sufficient /lib/security/pam_local_smb_pdb.so
> auth sufficient /lib/security/pam_winbind.so use_first_pass
> auth sufficient /lib/security/pam_unix.so use_first_pass
>
> /etc/nsswitch.conf:
>
> passwd: local_smb_pdb winbind files
> group: local_smb_pdb winbind files
>
> Am I understanding you correctly? So, the only things
> that appear in /etc/passwd on such a machine would
> be root,bin,mail and so on. "User" accounts would be
> stored in Samba's pdb, and exposed to the rest of the
> system using the nss and pam modules?
Uh-huh. This is all pretty flexible. The sysadmin has
basic control over how things work. This solution
does not preclude accounts in existing in /etc/passwd.
I think I covered all the possibilities in the first
message of this thread.
Cheers, jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
http://www.samba.org/ SAMBA Team jerry at samba.org
http://www.plainjoe.org/ jerry at plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list