W2K Domain Login Problem with 2.2.0

Tim Potter tpot at samba.org
Tue Apr 24 23:04:09 GMT 2001

Gerald Carter writes:


> Here some possible scenarios...
>  o Standalone samba server - PAM works fine
>  o Samba as a member server - domain security.  We need
>    to work this one out.  Remote users, local users, etc...

This is the winbind scenario.  All remote users should really go
through pam with the user manager enable/disable and logon hours
stuff used.  I think this fits in to pam_winbind.

> How does a full blown SAM-like account storage system 
> fit in here?  A simple thing like disabling an account
> in User Manager for Domains...which should take precedence?
> Samba's passdb or PAM?  Can we assume we know which one the
> UNIX admin wants?  What if it is an NT shop with a Samba
> appliance?  

I guess it should be configurable whether to honour things like
that.  Local users are a bit tricky.  There seem to be several
sub-scenarios in the appliance thing:

 - disable local users altogether (ala hide local users

 - have some/all local users appear and operate as usual.  This
   should work through the normal pam stuff.

> There are many more questions that one would initially 
> assume for this problem to be adressed in one weekend.
> Perhaps we should just setup a conf call and hash it out.
> Then post an RFC on samba-technical.

Sounds like a good idea.


More information about the samba-technical mailing list