W2K Domain Login Problem with 2.2.0
Andrew Bartlett
abartlet at pcug.org.au
Sun Apr 22 07:33:06 GMT 2001
Jeremy Allison wrote:
>
> On Sun, Apr 22, 2001 at 10:58:05AM +1000, Andrew Bartlett wrote:
>
> > Samba now checks with pam's account management facility as to the
> > validity of usernames, even if it is using encrypted passwords. This
> > was added just before release.
>
> Yeah - I'm looking at this now. I'm not sure this is the
> correct thing to do. What if the system is using winbindd ?
> What will be the interaction with pam and winbindd usernames
> (which are of the form DOMAIN\user) ?
>
> I'm inclined to remove this unless I can prove it won't
> break winbindd systems.
>
> Jeremy.
>
Dont do that! Samba is broken unless it checks an accounts validity
before allowing a user to access it. If we are using winbind, my
understanding is that we are providing the PAM modules anyway - in which
case the winbind pam module should handle this as for all other
authentications.
The only vaid case for not checking our local pam setup is for a BDC
type setup, where all authentcations are referred to another server, and
no access is granted to any local resources. This is not true for real
BDC's however, as they still use a local smbpasswd for when the PDC
fails. So theres not currently a case for this. And if there is,
pam_permit.so is designed for exactly this situation, and can be
configured by the system administrator if desired.
Andrew Bartlett
abartlet at pcug.org.au
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the samba-technical
mailing list