W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Sun Apr 22 08:41:06 GMT 2001


Jeremy Allison wrote:
> 
> On Sun, Apr 22, 2001 at 05:33:06PM +1000, Andrew Bartlett wrote:
> > Jeremy Allison wrote:
> > >
> > > Yeah - I'm looking at this now. I'm not sure this is the
> > > correct thing to do. What if the system is using winbindd ?
> > > What will be the interaction with pam and winbindd usernames
> > > (which are of the form DOMAIN\user) ?
> > >
> > > I'm inclined to remove this unless I can prove it won't
> > > break winbindd systems.
> >
> > Dont do that!  Samba is broken unless it checks an accounts validity
> > before allowing a user to access it.  If we are using winbind, my
> > understanding is that we are providing the PAM modules anyway - in which
> > case the winbind pam module should handle this as for all other
> > authentications.
> 
> I'm going to check this out on Monday when I'm in at work
> with a working winbindd setup. There is a pam_winbind.so
> module created by the Makefile but it's not installed by
> default on an RPM system.
> 
> We need to make sure it's built and tested and installed
> by the Samba rpm before turning this on.
> 
> winbindd is more important (single sign on in W2k/NT domains)
> than pam support at the moment.
> 
> > The only vaid case for not checking our local pam setup is for a BDC
> > type setup, where all authentcations are referred to another server, and
> > no access is granted to any local resources.
> 
> Actually that's not true. BDC's have a read-only-replica of the PDC
> database. Authentications are not referred to another server.
> 
> > This is not true for real
> > BDC's however, as they still use a local smbpasswd for when the PDC
> > fails.
> 
> It sounds like you're confusing BDC's with member servers here.
> Can you be more explicit ?
> 
> > So theres not currently a case for this.  And if there is,
> > pam_permit.so is designed for exactly this situation, and can be
> > configured by the system administrator if desired.
> 
> Like I said - we need to make sure this works with winbindd
> before making it the default. I'm sure it will work eventually,
> it's just I'm a little paranoid when it comes to something I
> haven't personally tested. Just call me "cautious" :-).
> 
> Jeremy.
> 

There seems to be a bug in the interaction between Win2k domain logons
and PAM account managment.  It is not present for my NT4 (no SP) VMware
session.

I currently don't have access to a Win2k machine, so can't particuarly
test any further.  I suspect that the username being passed to PAM is in
some way slightly malformed, such that the account management fails.

There in NO bug in PAM account management for reply.c stuff, this works
fine - including for Win2k.

Does this ring a bell for anyone?

-- 
Andrew Bartlett
abartlet at pcug.org.au




More information about the samba-technical mailing list