W2K Domain Login Problem with 2.2.0

Jeremy Allison jeremy at valinux.com
Sun Apr 22 08:24:19 GMT 2001

On Sun, Apr 22, 2001 at 05:33:06PM +1000, Andrew Bartlett wrote:
> Jeremy Allison wrote:
> >
> > Yeah - I'm looking at this now. I'm not sure this is the
> > correct thing to do. What if the system is using winbindd ?
> > What will be the interaction with pam and winbindd usernames
> > (which are of the form DOMAIN\user) ?
> > 
> > I'm inclined to remove this unless I can prove it won't
> > break winbindd systems.
> Dont do that!  Samba is broken unless it checks an accounts validity
> before allowing a user to access it.  If we are using winbind, my
> understanding is that we are providing the PAM modules anyway - in which
> case the winbind pam module should handle this as for all other
> authentications.

I'm going to check this out on Monday when I'm in at work
with a working winbindd setup. There is a pam_winbind.so
module created by the Makefile but it's not installed by
default on an RPM system.

We need to make sure it's built and tested and installed
by the Samba rpm before turning this on.

winbindd is more important (single sign on in W2k/NT domains)
than pam support at the moment.

> The only vaid case for not checking our local pam setup is for a BDC
> type setup, where all authentcations are referred to another server, and
> no access is granted to any local resources.

Actually that's not true. BDC's have a read-only-replica of the PDC
database. Authentications are not referred to another server.

> This is not true for real
> BDC's however, as they still use a local smbpasswd for when the PDC
> fails.

It sounds like you're confusing BDC's with member servers here.
Can you be more explicit ?

> So theres not currently a case for this.  And if there is,
> pam_permit.so is designed for exactly this situation, and can be
> configured by the system administrator if desired.

Like I said - we need to make sure this works with winbindd
before making it the default. I'm sure it will work eventually,
it's just I'm a little paranoid when it comes to something I
haven't personally tested. Just call me "cautious" :-).


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list