W2K Domain Login Problem with 2.2.0
Tim Potter
tpot at samba.org
Tue Apr 24 23:04:09 GMT 2001
Gerald Carter writes:
[...]
> Here some possible scenarios...
>
> o Standalone samba server - PAM works fine
>
> o Samba as a member server - domain security. We need
> to work this one out. Remote users, local users, etc...
This is the winbind scenario. All remote users should really go
through pam with the user manager enable/disable and logon hours
stuff used. I think this fits in to pam_winbind.
> How does a full blown SAM-like account storage system
> fit in here? A simple thing like disabling an account
> in User Manager for Domains...which should take precedence?
> Samba's passdb or PAM? Can we assume we know which one the
> UNIX admin wants? What if it is an NT shop with a Samba
> appliance?
I guess it should be configurable whether to honour things like
that. Local users are a bit tricky. There seem to be several
sub-scenarios in the appliance thing:
- disable local users altogether (ala hide local users
parameter)
- have some/all local users appear and operate as usual. This
should work through the normal pam stuff.
> There are many more questions that one would initially
> assume for this problem to be adressed in one weekend.
> Perhaps we should just setup a conf call and hash it out.
> Then post an RFC on samba-technical.
Sounds like a good idea.
Tim.
More information about the samba-technical
mailing list