NT Domain logon

Luke Kenneth Casson Leighton lkcl at switchboard.net
Sat Nov 1 16:04:46 GMT 1997


On Fri, 31 Oct 1997, Nathan Neulinger wrote:

> On Fri, Oct 31, 1997 at 12:08:57PM +0000, Luke Kenneth Casson Leighton wrote:
> > On Thu, 30 Oct 1997, Nathan Neulinger wrote:
> > 
> > > > you'll need to do encrypted passwords for your users.  what version of 
> > > > unix are you using?  have you looked into PAMs?  (plug-in authentication 
> > > > modules)
> > > 
> > > The problem is, we'll never have cleartext passwords for the user. 
> > > Maintaining a separate password database is unnaceptable. If we wanted to 
> > > do that, we'd just run NT server.
> > > 
> > > I'm semi familiar with PAM, but am not sure how they apply to this 
> > > situation other than for checking that a given cleartext password is 
> > > correct for a particular userid.
> > 
> > (run two simultaneous PAMs: one kerberos-pam, the other an ntdom-pam.  i 
> > think that's the way it works.  each pam will be simultaneously 
> > maintaining password databases.  each time the user changes their 
> > password, both databases will be updated).
> > 
> > 
> > hang about... could you possibly describe your setup a little more to me, 
> > so i can think about this?
> 
> Not all of the O/S's we use will support that. We could replace 
> /bin/login on all of them... ick. 
> 
> Plus, we have over two hundred workstations, mostly HP's. 
> 
> If we do something like that, we'll most likely implement a central 
> password server of our own design (probably on a linux box) that would 
> receive requests to update a password on all services - including Novell, 
> NT, AFS, DCE, etc.

well, whatever solution you decide to use, it sounds interesting, and i'm 
sure that there are other people who either already have done this (or 
similar) or would be interested in your solution.

regards,

luke


More information about the samba mailing list