losing connections to password server

Andrew Bartlett abartlet at samba.org
Thu Jun 26 04:33:37 GMT 2003 

On Thu, 2003-06-26 at 14:22, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 19 Jun 2003, David Collier-Brown -- Customer Engineering wrote:
> 
> > On Thu, Jun 19, 2003 at 08:53:17AM -0700, David Bear wrote:
> > >>"security = server" may be a nasty hack, but it is an important
> > >>'feature' in an organization like my university.  We have centrally
> > >>managed services which include user accounts.  This hack lets me add
> > >>users to samba services without having to manage accounts.
> > 
> > Steve Langasek wrote:
> > > So does "security = domain"; except that "security = domain" works,
> > > using the same protocols that Microsoft supports for their own
> > > authentication systems.
> > > 
> > > The "security = server" hack is /inherently/ flaky, and has /inherently/
> > > limited security.  Fixing these inherent flaws has been done: that's
> > > what domain security is.
> > 
> > 	Alas, security = domain only works if I'm running an
> > 	NT domain, while security = server works with an
> > 	authentication server which is using the underlying
> > 	Unix authentication system.
> 
> Setup a Samba PDc and run the second Samba server as a domain member.
> Sorry Dave, but there are so many other ways to get distributed 
> authentication to work in the case without using server mode security.
> 
> Or setup Samba PDC's and BDC's or trusts once they are finished.

Or if you want distributed *plaintext* authentication (which is what I
*think* Dave was describing) then something like openldap/pam_ldap
radiusd/pam_radius sounds like the right kind of solution.  

Fancy plaintext auth methods are really handled quite well by PAM.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030626/b24e9b71/attachment.bin

More information about the samba-technical mailing list