Client for Samba networks

[Steven French]

Our IBM GINA allowed you to domain logons from NT & Windows 2000 to older
SMB servers (somewhat like a Win9x or OS/2 logon) without the user being
present in the local accounts database.    Apparently this (manufacturing
domain credentials in the undocumented NT way that the local API expect)
was much of the difficulty.   Not an ideal solution since GINAs can not be
easily chained together (although apparently we were able to hack something
together to coexist with the Lotus GINA and the DCE GINA) and not
particularly reusable.   Hopefully this interface is improved/replaced
someday or the lower level API documented.

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at us.ibm.com


Jean Francois Micouleau <Jean-Francois.Micouleau at dalalu.fr> on 12/18/2001
06:00:55 PM

To:   David Collier-Brown <davecb at canada.sun.com>
cc:   Steven French/Austin/IBM at IBMUS, <samba-technical at lists.samba.org>
Subject:  Re: Client for Samba networks




On Tue, 18 Dec 2001, David Collier-Brown wrote:

>    A GINA that does a minimal window,
>    collects data and ships it to an
>    authentication server in some
>    appropriate format, and then displays
>    a sucess indication or a server-
>    supplied error message would allow us to
>    build suitable back-ends, and might
>    be more maintainable than previous ones.

if my memory serves well (I haven't used nisgina for a very long time),
the problem is the GINA layer a)is only useful for interactive logon,
b)has access only to the local account database. So the accounts are
created under the machine's sid.


what's really needed is the internal api to the sam database, or the
functions called by the lsa.

     J.F.