pam_winbind as non Domain Admistrator?
nicklange at wi.rr.com
Tue Jun 17 23:58:02 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I might have misread the documentation, but is it possible to authenticate a user against a domain without being a
domain administrator? This is for existing accounts only, [i.e. I do not need to enumerate unknown users, rather, should
the account exist on the box I need ensure that
1.) the credentials entered are valid
2.) the account is not locked out on the DC
If this functionality isn't possible, can anyone familiar with the API's give me an idea of how much work it would be
develop this myself? otherwise, has anyone used winbindd on a public web server to authenticate against a 20K user
central DC? Obviously, the security implications of allowing a domain admin on a public web server concern me greatly.
Is there a specific privlege that a normal non-DA could receive that would accomplisht the goals of winbind?
Lastly, if I could pull the encrypted password from the DC, does the samba api provide a way to encrypt an arbitrary
set of credentials to compare them? (should pam_winbind prove unusable for this project.)
This quesiton may be better suited to the samba-users list; however, I have a feeling I might end up mailing this
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical