/etc/passwd - Domain Controller Synchronization
Brendon_Meyer at fmi.com
Thu Dec 4 22:43:11 GMT 1997
Now this is a switch.
I kinda like this - "Microsoft" asking for help.
Seriously though, this is something I have been
working on - consistent authentication schemes
between the various platforms. It is not reliant
on SAMBA as per se but what it is reliant on is
the SMBlib libraries that Richard Sharpe wrote
some time ago.
Ultimately, where I think we and heading is
towards Kerberos but for now what I have been
doing is changing the various Unix daemons to
support authentication by not only the native UNIX
schemes (/etc/passwd, NIS, etc) but also by a NT
server and domain controller (it will probably
authenticate to any type of server really - Win 95
included but I haven't tried that).
To date, what I currently have is mail daemons -
pop 2, pop 3 and imap daemons for mail which will
attempt to authenticate by querying a NT server or
a NT domain controller (note that there still has
to be a UNIX account to map to but it can have a
non-matchable password - usually a "*" in
/etc/passwd or /etc/shadow which prevents normal
logins to the account).
This means, when a user changes their "domain"
logon password, their POP and IMAP passwords also
"automatically" change as well.
Note that this is just a "hack" made to the
'Washington University imap, pop 2 and pop 3' but
isn't released by them so if you go asking for
their help on changes that I made to their stuff,
they will probably tell you to "bugger off".
What I currently have in the works is a
replacement 'login' which actually handles the
user login and a 'ftp' daemon which will do
likewise but they are not finished (same rules
again - you need a UNIX account to map to but that
is about it).
... acutally to be honest the 'login' was finished
some time ago but is now being re-written (more
correctly tossed - it is now based on the FreeBSD
'login') as the way it was written before was
pretty much from scratch, horrible to maintain and
generally was a pain in the backside to use. I am
not working on the 'login' - that is the job for
my partner in crime.
To date, this stuff has been develop on FreeBSD
2.2.2 with the POP and IMAP daemons being
currently ported to HP-UX 10.01 and SGI IRIX 5.3
and IRIX 6.2. The 'login' and 'ftpd' replacements
will be ported likewise.
... as to completion dates ... Right now I am
totally inundated with other work (budgets and the
like) so I am not quite sure when I can return to
finishing this stuff - probably not within a few
weeks anyway so if you want something from me
before then I am not sure if I can help you.
Likewise, if you are trying to use a platform
other than these I am not sure if I can help you.
More information about the samba