W2K Domain Login Problem with 2.2.0
Steve Langasek
vorlon at netexpress.net
Mon Apr 23 03:53:21 GMT 2001
On Sun, 22 Apr 2001, Andrew Bartlett wrote:
> > > This is not true for real
> > > BDC's however, as they still use a local smbpasswd for when the PDC
> > > fails.
> > It sounds like you're confusing BDC's with member servers here.
> > Can you be more explicit ?
> I can only see a case for not checking with the local PAM setup where
> there is no association between the samba authentication data and what
> getpwnam() returns. (This is what Samba-TNG is doing, if I recall). So
> long as there is that link, and particularly when there are local
> accounts the local sysadmin might disable an account, we MUST check with
> PAM.
I think this attempts to solve the wrong problem. If I as an admin enable PAM
support in Samba with --with-pam, I want my policies to be applied
across the board regardless of whether or not the user has a local account. A
winbind-enabled system should not attempt to distinguish between local and
non-local users when setting policy. An *admin* can use something like PAM to
set different policies for different classes of users, but Samba itself
shouldn't be treating the accounts differently.
It's possible that the PAM support isn't yet what it should be, and that we
should therefore take a step back from the use of PAM on Samba domain servers;
but ideally, PAM would be applied universally with equal success on all
systems which use it.
Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list