CVS update: samba/source/auth

Gerald (Jerry) Carter jerry at samba.org
Sun Jun 29 22:33:28 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 29 Jun 2003, Volker Lendecke wrote:

> Some very brief notes wrt your trustdom patch: 
> Why do you want to join the local domain? 

I'm trying to remember right now.  Could have had to do with 
winbindd_pam_auth_crap().

> If we do, then wbinfo -a SAMBA\\user%password where SAMBA is the local
> SAM domain locks up in the SAM logon request from winbind to smbd.

Doesn't lock for me.  Although (VALE is the Samba domain) running this on
the PDC:

  # wbinfo -a 'VALE\jerry%test'
  plaintext password authentication succeeded
  challenge/response password authentication failed
  error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
  error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
  Could not authenticate user VALE\jerry with challenge/response

I've tried this with and without 'winbind use default domain = yes'.
Maybe I need more details from you?

> With your patch (not joined the local domain) I get the local users as
> SAMBA\username in getent passwd.

Joined to the domain it works fine.  Only trusted users show up.

> On Sun, Jun 29, 2003 at 03:39:50AM +0000, jerry at samba.org wrote:
> >   * set 'auth method = guest sam winbind'
> 
> I'd rather recommend 'auth methods = guest samstrict winbind'
> 
> Otherwise you will get problems if you have a SAM user with the same
> name as a winbind-imported user.

OK.  I see what you mean.  So why do we have a separate 'sam' and 
'samstrict' method.  We shouldn't be looking up users from other domains
in own own passdb anyways.  Trust relationships should be handled
by 'allow trust domains' and that should go through winbind.

Why can't we just make samstrict == sam and name them one module?

> Sorry for not really looking into it, it's Sunday and I'd like to go
> dancing :-)

Enjoy yourself. :-)



cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+/2k8IR7qMdg1EfYRAnZgAJ4qJl9u3a7Dkeo5iiwsCev7PTuFtgCgzZnl
v0dkwb6O9qS1UOzGvIFmdAI=
=vL3G
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list