W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Mon Apr 23 22:44:27 GMT 2001

On Mon, 23 Apr 2001, Gerald Carter wrote:

> Here some possible scenarios...

>  o Standalone samba server - PAM works fine

>  o Samba as a member server - domain security.  We need
>    to work this one out.  Remote users, local users, etc...

PAM itself is agnostic as far as local v. remote users are concerned; the API
allows for both or either.  With individual PAM modules, you'll find some that
work well for remote users; some that are explicitly bound to local databases;
and some which do silly things like calling getpwnam() when they shouldn't,
causing them to break when they shouldn't.  So whereas PAM itself should not
be incompatible with the design of a member server, the possible PAM configs
that can be supported at this point may be fairly limited.

>  o Samba as a PDC - All local users

> How does a full blown SAM-like account storage system
> fit in here?  A simple thing like disabling an account
> in User Manager for Domains...which should take precedence?
> Samba's passdb or PAM?  Can we assume we know which one the
> UNIX admin wants?  What if it is an NT shop with a Samba
> appliance?

I think it's clear that disabling an account in User Manager should cause the
account to be disabled in Samba's passdb.  First, PAM itself doesn't have an
API for /changing/ the status of accounts, so it's not clear how one would
code this portably.  Second, using only the passdb gives admins more
flexibility: if they want other services to honor the account flags from the
Samba passdb, they can opt-in to this arrangement using pam_smbpass.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list