NT Domain logon

Luke Kenneth Casson Leighton lkcl at switchboard.net
Thu Oct 30 23:31:35 GMT 1997 

On Fri, 31 Oct 1997, Nathan Neulinger wrote:

> First, a couple of questions - are encrypted passwords absolutely necessary?

the only way is to find out if the SAM database can support clear-text 
passwords or not.  we're mirroring SAM databases, which are based on 
encrypted passwords.

effectively what we are implementing is NT's "Local Security Authority"
SAM Service - LSASS.EXE.

if you can get hold of an alternative login system, for example Novell's 
Local Security Authority, and ask them to provide full documentation on 
their over-the-wire protocol, then we will implement this.

if you can get hold of information from microsoft on how to implement a
"Local Security Authority" (this is _used_ by a GINA and is _not_ a GINA
itself: a GINA is the graphical interface that communicates with an
LSA...), then i will implement one that does Kerberos, and a corresponding 
GINA that uses it, and i will also put it into samba.

if you know of a company that has already implemented a Kerberos LSA and 
its corresponding GINA, then please contact them and ask them if they 
would like samba support for it.


> The reason is, NT DOMAIN support in samba is only going to be useful to 
> me if I can continue to tie the authentication into our central 
> AFS/Kerberos server. 
> 
> I have tried to do the setup without doing to encrypted passwords and am 
> not sure if that is part of the problem or not.
> 
> Re step 2 in NTDOMAIN.txt: How exactly does one add this line? I had to 
> add a line for a user that was in the password file, and then edit the 
> name. Here is the current setup:

thank you for reminding me: i need to do this programmatically.  (any 
entries with $ on the end are workstations, not users).
  
> Two machines on same segment, one named INFINITY (the server) the other 
> is CONSOLE. INFINITY is serving domain/workgroup "AFSDOMAIN". 
> 
> Here is what is in smbpasswd:
> CONSOLE$:0:0D20A4E2B0D8BEC1AAD3B435B51404EE:\
>         222B9139F2847B86F75B601845D5A045:blah:/:/bin/bash
> 
> Step 6-7 seemed to work ok once I got that entry added to the smbpasswd file.
> 
> Step 8 though did not. When I attempt to actually log into the domain it 
> says something along the lines of "Cannot log you in. Domain not available."

you'll need to do encrypted passwords for your users.  what version of 
unix are you using?  have you looked into PAMs?  (plug-in authentication 
modules)

luke

More information about the samba mailing list