PASSDB: local and domain accounts

Gerald Carter gcarter at valinux.com
Thu Nov 16 14:42:35 GMT 2000


"Mayers, Philip J" wrote:
> 
> Let me check I know where we're at:
> 
> o) Winbind, pam_winbind and nss_winbind are *ALWAYS* 
> responsible for non-local NT domain accounts, and they 
> will always appear with the names DOMAIN\username (or 
> whatever, depending on the formatting mode you specify).

Yup.

> o) So, domain members run winbind for remote 
> accounts. Winbind provides a uid/gid<->rid mapping function 
> as well as name<->uid/gid/rid mappings for the remote 
> accounts.

Yup.

> For *local* accounts of domain members, domain accounts 
> on PDCs and BDCs, and all accounts on a non-domain 
> member, you're advocating a second pam/nss module that 
> hooks into samba's pdb (as you call it). The nss module 
> would have to avoid UID number clashes with winbind 
> (trivial). Samba itself (internally) would provide the 
> same things that Winbind provides for remote accounts, 
> namely uid/gid<->rid and name<->uid/gid/rid mappings, 
> which the nss module would call. Additionally, the 
> pam module would authenticate those users against the 
> *local* PDB.

Basically yes.

> So you'd have this:
> 
> /etc/pam.d/login:
> 
> auth sufficient /lib/security/pam_local_smb_pdb.so
> auth sufficient /lib/security/pam_winbind.so use_first_pass
> auth sufficient /lib/security/pam_unix.so use_first_pass
> 
> /etc/nsswitch.conf:
> 
> passwd: local_smb_pdb winbind files
> group: local_smb_pdb winbind files
> 
> Am I understanding you correctly? So, the only things 
> that appear in /etc/passwd on such a machine would 
> be root,bin,mail and so on. "User" accounts would be 
> stored in Samba's pdb, and exposed to the rest of the
> system using the nss and pam modules?

Uh-huh.  This is all pretty flexible.  The sysadmin has 
basic control over how things work.  This solution
does not preclude accounts in existing in /etc/passwd.
I think I covered all the possibilities in the first
message of this thread.






Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )





More information about the samba-technical mailing list