NT Domain logon
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu Oct 30 23:31:35 GMT 1997
On Fri, 31 Oct 1997, Nathan Neulinger wrote:
> First, a couple of questions - are encrypted passwords absolutely necessary?
the only way is to find out if the SAM database can support clear-text
passwords or not. we're mirroring SAM databases, which are based on
encrypted passwords.
effectively what we are implementing is NT's "Local Security Authority"
SAM Service - LSASS.EXE.
if you can get hold of an alternative login system, for example Novell's
Local Security Authority, and ask them to provide full documentation on
their over-the-wire protocol, then we will implement this.
if you can get hold of information from microsoft on how to implement a
"Local Security Authority" (this is _used_ by a GINA and is _not_ a GINA
itself: a GINA is the graphical interface that communicates with an
LSA...), then i will implement one that does Kerberos, and a corresponding
GINA that uses it, and i will also put it into samba.
if you know of a company that has already implemented a Kerberos LSA and
its corresponding GINA, then please contact them and ask them if they
would like samba support for it.
> The reason is, NT DOMAIN support in samba is only going to be useful to
> me if I can continue to tie the authentication into our central
> AFS/Kerberos server.
>
> I have tried to do the setup without doing to encrypted passwords and am
> not sure if that is part of the problem or not.
>
> Re step 2 in NTDOMAIN.txt: How exactly does one add this line? I had to
> add a line for a user that was in the password file, and then edit the
> name. Here is the current setup:
thank you for reminding me: i need to do this programmatically. (any
entries with $ on the end are workstations, not users).
> Two machines on same segment, one named INFINITY (the server) the other
> is CONSOLE. INFINITY is serving domain/workgroup "AFSDOMAIN".
>
> Here is what is in smbpasswd:
> CONSOLE$:0:0D20A4E2B0D8BEC1AAD3B435B51404EE:\
> 222B9139F2847B86F75B601845D5A045:blah:/:/bin/bash
>
> Step 6-7 seemed to work ok once I got that entry added to the smbpasswd file.
>
> Step 8 though did not. When I attempt to actually log into the domain it
> says something along the lines of "Cannot log you in. Domain not available."
you'll need to do encrypted passwords for your users. what version of
unix are you using? have you looked into PAMs? (plug-in authentication
modules)
luke
More information about the samba
mailing list