Winbind + NIS

[Markus Amersdorfer]

On Fri, 21 Dec 2001 13:27:13 -0300
"Rafael" <rafiros at posgrad.nce.ufrj.br> wrote:

>     I'm trying to integrate a linux-network with a Nt-network. My PDC
>     is Nt, so i got a linuxbox running a samba+winbind and it's
>     running perfect. Now i got another linuxbox and installed a nis
>     client and put the nis server in the samba server, only that the
>     nis client doesn't see the Nt users. My question is: Is there a
>     way that i can get to my nis client see the Nt users (via nis or
>     any other way)?

i basically have the same situation: nt-pdc with a windows-network and a
few linux machines which shall also use the pdc to authenticate the
users. furthermore, i'm searching a solution with as little
non-*nix-native changes to the linux-clients as possible.

your scenario from above will not work 'cause of the way nis does its
job: correct me if i'm wrong (just had it explained to me lately...),
but nis builds its database per command ('make'-like) from some files.
you can initially use passwd for this (... but i don't know, if it uses
"getent" in which case you could use winbind on the nis-server-machine
then or if it just reads the file itself in which case winbind would be
useless and nis would have no direct access to the user-db on the pdc).
anyway, nis can't know the users' passwords which are stored encrypted
on the pdc. as nis generally just sends a passwd-file (with unix-hashed
passwords in it) to the nis-client trying to authenticate a user, how
could it get the unix-hash of the user's password stored encrypted on
the pdc? it can't ... :(

the options left are:

1)
installing winbind or similar on every linux-client which shall have
access to the pdc's user-db. the important disadvantage is that (for
now) winbind can't guarantee that a user gets the same unique UID on
each linux-client. this definitely will lead to problems if you also
want to use nfs to share directories across the network (which is what i
need at least ...).

2)
i haven't tried it yet, but am going to do so soon:
have pwdump (from samba-package) dump the pdc's user-db regularly (e.g.
every 5 minutes) on the nis-server. have a shell-script convert this
dump into a normal nis-database. do some consistency checks (has a user
been deleted? etc...). this nis-db now holds all users, but no
passwords. install the linux-clients as nis-clients. when somebody tries
to log on, the nis-client requests the passwd and therefore knows the
user exists. in order to be able to use the pdc's password, use pam_smb
to validate the user's one with the pdc's one. the user no has logged in
successfully, and - which is important - has the same UID regardless on
which linux-client he logs in to. this means, his home-dir can now be
mounted via nfs.

i haven't validated this to work yet, but i think it should, ... at
least, i really really hope so :).

if somebody knows another way to solve this scenario, i'd be really glad
to hear about it!

good luck,
max

-- 
Sometimes I think the surest sign for intelligent life elsewhere in
the universe is that none of them ever tried to contact us.
                              < Calvin & Hobbes by Bill Watterson >