pam_winbind as non Domain Admistrator?
Nick Lange
nicklange at wi.rr.com
Tue Jun 17 23:58:02 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I might have misread the documentation, but is it possible to authenticate a user against a domain without being a
domain administrator? This is for existing accounts only, [i.e. I do not need to enumerate unknown users, rather, should
the account exist on the box I need ensure that
1.) the credentials entered are valid
and
2.) the account is not locked out on the DC
]
If this functionality isn't possible, can anyone familiar with the API's give me an idea of how much work it would be
develop this myself? otherwise, has anyone used winbindd on a public web server to authenticate against a 20K user
central DC? Obviously, the security implications of allowing a domain admin on a public web server concern me greatly.
Is there a specific privlege that a normal non-DA could receive that would accomplisht the goals of winbind?
Lastly, if I could pull the encrypted password from the DC, does the samba api provide a way to encrypt an arbitrary
set of credentials to compare them? (should pam_winbind prove unusable for this project.)
This quesiton may be better suited to the samba-users list; however, I have a feeling I might end up mailing this
list anyways...
cheers,
nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+76sKUpjBJywc+asRAkWuAJ9pZY8Vqfj++hozbupQ/xVSvD81EwCffejP
K5eDF8dlcNbX5Wq4vFYIDsU=
=vuku
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list