David Collier-Brown - Sun Canada davecb at
Wed Apr 12 14:42:58 GMT 2000

Petri Rautanen wrote:
| I have 20 Solaris 2.6-servers with NIS+ in different cities and countries
| and a lot of NT4 servers in different domains and I use samba with nis+
| support on the Solaris-enviroment to let the NT-users access their
| unix-home-directories. 

	That's a decent, scalable approach. 
| The NT-clients has to send their passwords in "clear-text" to access their
| directories. I would like them to send their password encrypted and 
| validate them against their NT-account so that they don't have to type 
| in their unix-password when they access the directory in Unix from NT. 

	I wouldn't consider doing that if you've already got
	them interoporating: it's a long and winding path to NT
	nirvana, and it removes the option of single sign-on...

	If it isn't broken, don't fix it!
	Plain-text passwords are (i) a security issue and (ii) a
	nuisance issue.  You deal with them the same way as you
	deal with plaintext passwords in Unix.
	i) make sure the link between your sites is encrypted or
	   private.  Every packet you send is in plain text: encrypted
	   passwords encrypts **only** the passwords, not the data.
        ii) Give each user (or site sysadmin) a "rescue" floppy
	   with the .reg files on it. Users will forget, but when
	   you remind them, they'll have the files handy.
	   Also, create a [help] share with public = yes,
	   and put a copy of the .reg files and a RUN_ME.BAT
	   file there.
	   Finally, give each user a startup file that sets the
	   registry flags: then all they have to do is connect to
	   [help] and they'll get the flags set automagically (;-))

|Is it security=domain i should use? 
	Not if nis+ works...
	|	And does it work with NIS+?
	Not at all

| And must security=Domain (password server=<PDC>) check against the PDC only?
	No, it checks against PDCs and BDCs, which you should have
	locally, as the WAN traffic Would Be Bad, as a recent letter
	pointed out.
--dave (who has a distinct Unix bias) c-b
[I haven't tested (ii)a and (ii)b together: your mileage may vary]
David Collier-Brown in Boston
Phone: (781) 442-0734, Room BUR03-3632

More information about the samba mailing list