/etc/passwd - Domain Controller Synchronization

Jorge Silva (Jorge Gomes da Silva) jorgesil at microsoft.com
Fri Dec 5 18:36:59 GMT 1997 


> -----Original Message-----
> From:	Brendon Meyer [SMTP:Brendon_Meyer at fmi.com]
> Sent:	Thursday, December 04, 1997 10:43 PM
> To:	Jorge Silva (Jorge Gomes da Silva); samba at samba.anu.edu.au
> Subject:	/etc/passwd - Domain Controller Synchronization
> 
> Hello Jorge,
> 
> Now this is a switch.
> 
> I kinda like this - "Microsoft" asking for help.
> :-)
	[Jorge]  Well, it's true that I work for Microsoft but I wouldn't
say I'm "Microsoft" (I should have included some kind of disclaimer. I hope
I won't get fired for this ). ;-)

> Seriously though, this is something I have been
> working on - consistent authentication schemes
> between the various platforms.  It is not reliant
> on SAMBA as per se but what it is reliant on is
> the SMBlib libraries that Richard Sharpe wrote
> some time ago.
> 
> Ultimately, where I think we and heading is
> towards Kerberos but for now what I have been
> doing is changing the various Unix daemons to
> support authentication by not only the native UNIX
> schemes (/etc/passwd, NIS, etc) but also by a NT
> server and domain controller (it will probably
> authenticate to any type of server really - Win 95
> included but I haven't tried that).
	[Jorge]  Isn't this a similar to the use of PAMs ?

> To date, what I currently have is mail daemons -
> pop 2, pop 3 and imap daemons for mail which will
> attempt to authenticate by querying a NT server or
> a NT domain controller (note that there still has
> to be a UNIX account to map to but it can have a
> non-matchable password - usually a "*" in
> /etc/passwd or /etc/shadow which prevents normal
> logins to the account).
> 
> This means, when a user changes their "domain"
> logon password, their POP and IMAP passwords also
> "automatically" change as well.
> 
> Note that this is just a "hack" made to the
> 'Washington University imap, pop 2 and pop 3' but
> isn't released by them so if you go asking for
> their help on changes that I made to their stuff,
> they will probably tell you to "bugger off".
> 
> What I currently have in the works is a
> replacement 'login' which actually handles the
> user login and a 'ftp' daemon which will do
> likewise but they are not finished (same rules
> again - you need a UNIX account to map to but that
> is about it).
> 
> ... acutally to be honest the 'login' was finished
> some time ago but is now being re-written (more
> correctly tossed - it is now based on the FreeBSD
> 'login') as the way it was written before was
> pretty much from scratch, horrible to maintain and
> generally was a pain in the backside to use.  I am
> not working on the 'login' - that is the job for
> my partner in crime.
> 
> To date, this stuff has been develop on FreeBSD
> 2.2.2 with the POP and IMAP daemons being
> currently ported to HP-UX 10.01 and SGI IRIX 5.3
> and IRIX 6.2.  The 'login' and 'ftpd' replacements
> will be ported likewise.
	[Jorge]  The login deamon for HP-UX could be useful for this project
(the customer is using HP Unix) but for now it's just an idea. We also are
investigating other sources for a solution.

> ... as to completion dates ...   Right now I am
> totally inundated with other work (budgets and the
> like) so I am not quite sure when I can return to
> finishing this stuff -  probably not within a few
> weeks anyway so if you want something from me
> before then I am not sure if I can help you.
> 
> Likewise, if you are trying to use a platform
> other than these I am not sure if I can help you.
> 
	[Jorge]  OK. Thank you very much for your answer.
>  
> Brendon
>

More information about the samba mailing list