[Samba] PAM, PDC and Winbind
lrivera at racsa.co.cr
Sun Dec 15 21:01:04 GMT 2002
I currently have the following setup working nicely:
A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and
/etc/shadow when appropriate) correctly - either when changing them
through Samba (samba has PAM support enabled and working) or through
normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap,
Several other Linux machines, running Samba, using winbind/pam_winbind
(NOT nss_winbind), and nss_ldap to authenticate against the PDC.
Using pam_winbind to sync passwords allows me to exploit the fact that
the Samba processes in the PDC does sync the LDAP and Samba passwords
for me. Avoiding nss_winbind allows me to conserve the userid's stored
in LDAP and reuse them throughout the network, without suffering from
the winbind limitation of the "first-come, first-served" userid
assignment. Windows machines do not, of course, suffer from this.
Basically, Samba is just the auth/password change mechanism for my
client machines (local unix passwords are also affected when
My dilemma is with my PDC's configuration: I currently use pam_smbpass
to do the synching of Samba passwords when the password change occurs
external to Samba. I don't particularly like this - I'd rather use
something like pam_winbind to do my password changes *through* samba as
opposed to parallel to it.
However, I've had no success in getting winbind to do this while running
on the PDC (although I could join the machine to its own domain - some
trickery there; and get wbinfo to display the correct list of users and
groups - which means that winbind is attaching itself to the PDC
correctly). It won't, however, do password authentication and changes
Any ideas? Advice?
I had run into pam_smb (pam_domain? pam_ntdom?) earlier, which
supposedly could do this for me, but IIRC it wasn't being maintained,
and it was pretty buggy.
PS/ If you want copy of my configs, let me know and I'll e-mail them to
More information about the samba