W2K Domain Login Problem with 2.2.0

Sun Apr 22 08:59:44 GMT 2001

Jeremy Allison wrote:
> 
> On Sun, Apr 22, 2001 at 05:33:06PM +1000, Andrew Bartlett wrote:
> > Jeremy Allison wrote:
> > >
> > > Yeah - I'm looking at this now. I'm not sure this is the
> > > correct thing to do. What if the system is using winbindd ?
> > > What will be the interaction with pam and winbindd usernames
> > > (which are of the form DOMAIN\user) ?
> > >
> > > I'm inclined to remove this unless I can prove it won't
> > > break winbindd systems.
> >
> > Dont do that!  Samba is broken unless it checks an accounts validity
> > before allowing a user to access it.  If we are using winbind, my
> > understanding is that we are providing the PAM modules anyway - in which
> > case the winbind pam module should handle this as for all other
> > authentications.
> 
> I'm going to check this out on Monday when I'm in at work
> with a working winbindd setup. There is a pam_winbind.so
> module created by the Makefile but it's not installed by
> default on an RPM system.
> 
> We need to make sure it's built and tested and installed
> by the Samba rpm before turning this on.
> 
> winbindd is more important (single sign on in W2k/NT domains)
> than pam support at the moment.

I thought winbind provided pam support?  It makes things go it a bit of
a loop, but it shouldn't be fatal.  Can I log into a winbind'ed machine
with OpenSSH?  Do I use that mangled DOMAIN\username?  If so it should
work.

> 
> > The only vaid case for not checking our local pam setup is for a BDC
> > type setup, where all authentcations are referred to another server, and
> > no access is granted to any local resources.
> 
> Actually that's not true. BDC's have a read-only-replica of the PDC
> database. Authentications are not referred to another server.

OK, I need to read up on NT Domains...

> 
> > This is not true for real
> > BDC's however, as they still use a local smbpasswd for when the PDC
> > fails.
> 
> It sounds like you're confusing BDC's with member servers here.
> Can you be more explicit ?

I can only see a case for not checking with the local PAM setup where
there is no association between the samba authentication data and what
getpwnam() returns.  (This is what Samba-TNG is doing, if I recall).  So
long as there is that link, and particularly when there are local
accounts the local sysadmin might disable an account, we MUST check with
PAM.

> 
> > So theres not currently a case for this.  And if there is,
> > pam_permit.so is designed for exactly this situation, and can be
> > configured by the system administrator if desired.
> 
> Like I said - we need to make sure this works with winbindd
> before making it the default. I'm sure it will work eventually,
> it's just I'm a little paranoid when it comes to something I
> haven't personally tested. Just call me "cautious" :-).
> 
> Jeremy.
> 
> --
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------

-- 
Andrew Bartlett
abartlet at pcug.org.au