PASSDB: local and domain accounts
David Lee
T.D.Lee at durham.ac.uk
Thu Nov 16 16:20:34 GMT 2000
On Thu, 16 Nov 2000, Gerald Carter wrote:
> "Mayers, Philip J" wrote:
> >
> > Let me check I know where we're at:
> > [...]
> > So you'd have this:
> >
> > /etc/pam.d/login:
> >
> > auth sufficient /lib/security/pam_local_smb_pdb.so
> > auth sufficient /lib/security/pam_winbind.so use_first_pass
> > auth sufficient /lib/security/pam_unix.so use_first_pass
> >
> > /etc/nsswitch.conf:
> >
> > passwd: local_smb_pdb winbind files
> > group: local_smb_pdb winbind files
> >
> > Am I understanding you correctly? So, the only things
> > that appear in /etc/passwd on such a machine would
> > be root,bin,mail and so on. "User" accounts would be
> > stored in Samba's pdb, and exposed to the rest of the
> > system using the nss and pam modules?
>
> Uh-huh. This is all pretty flexible. The sysadmin has
> basic control over how things work. This solution
> does not preclude accounts in existing in /etc/passwd.
> I think I covered all the possibilities in the first
> message of this thread.
I'll immediately confess that I haven't been following all the detail,
and that I'm unfamiliar with much of the detail.
But can I just check a few points? The perspective is "can it accomodate
our current working and its possible evolution?" Any evolution will
_have_ to be gentle. (Saying "you shouldn't start from here" isn't an
option!)
Does the phrase "/etc/passwd" include, say, NIS and/or perhaps other
technologies, as directed by PAM?
Will we be able to use PAM's password maintenance function (currently just
"pam_unix.so") to maintain (typically from UNIX) multiple parallel
incarnations/encryptions of the password (e.g. UNIX, Lanman and NT) of a
single logical password? Probably something like:
other password required /path/to/pam_unix.so
other password required /path/to/pam_<blah_samba_blah>.so
(hoping that both work or both fail!).
What other questions should I be asking? :-)
[ Background:
Our current service is based around UNIX (Solaris 2.x) and NIS (not NIS+)
with shadow passwords (good old 13-char crypt etc.) to authenticate users.
More information about the samba-technical
mailing list