PASSDB: local and domain accounts

David Lee T.D.Lee at durham.ac.uk
Thu Nov 16 16:20:34 GMT 2000


On Thu, 16 Nov 2000, Gerald Carter wrote:

> "Mayers, Philip J" wrote:
> > 
> > Let me check I know where we're at:
> > [...]
> > So you'd have this:
> > 
> > /etc/pam.d/login:
> > 
> > auth sufficient /lib/security/pam_local_smb_pdb.so
> > auth sufficient /lib/security/pam_winbind.so use_first_pass
> > auth sufficient /lib/security/pam_unix.so use_first_pass
> > 
> > /etc/nsswitch.conf:
> > 
> > passwd: local_smb_pdb winbind files
> > group: local_smb_pdb winbind files
> > 
> > Am I understanding you correctly? So, the only things 
> > that appear in /etc/passwd on such a machine would 
> > be root,bin,mail and so on. "User" accounts would be 
> > stored in Samba's pdb, and exposed to the rest of the
> > system using the nss and pam modules?
> 
> Uh-huh.  This is all pretty flexible.  The sysadmin has 
> basic control over how things work.  This solution
> does not preclude accounts in existing in /etc/passwd.
> I think I covered all the possibilities in the first
> message of this thread.

I'll immediately confess that I haven't been following all the detail,
and that I'm unfamiliar with much of the detail.

But can I just check a few points?  The perspective is "can it accomodate
our current working and its possible evolution?"  Any evolution will
_have_ to be gentle.  (Saying "you shouldn't start from here" isn't an
option!)


Does the phrase "/etc/passwd" include, say, NIS and/or perhaps other
technologies, as directed by PAM? 

Will we be able to use PAM's password maintenance function (currently just
"pam_unix.so") to maintain (typically from UNIX) multiple parallel
incarnations/encryptions of the password (e.g. UNIX, Lanman and NT) of a
single logical password?  Probably something like:
   other   password required       /path/to/pam_unix.so
   other   password required       /path/to/pam_<blah_samba_blah>.so
(hoping that both work or both fail!).

What other questions should I be asking? :-)

[ Background:

Our current service is based around UNIX (Solaris 2.x) and NIS (not NIS+) 
with shadow passwords (good old 13-char crypt etc.) to authenticate users.


More information about the samba-technical mailing list