[Samba] PAM, PDC and Winbind

[Diego Rivera]

Hello all,

I currently have the following setup working nicely:

A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and
/etc/shadow when appropriate) correctly - either when changing them
through Samba (samba has PAM support enabled and working) or through
normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap,
etc.).

Several other Linux machines, running Samba, using winbind/pam_winbind
(NOT nss_winbind), and nss_ldap to authenticate against the PDC.

Using pam_winbind to sync passwords allows me to exploit the fact that
the Samba processes in the PDC does sync the LDAP and Samba passwords
for me.  Avoiding nss_winbind allows me to conserve the userid's stored
in LDAP and reuse them throughout the network, without suffering from
the winbind limitation of the "first-come, first-served" userid
assignment.  Windows machines do not, of course, suffer from this.

Basically, Samba is just the auth/password change mechanism for my
client machines (local unix passwords are also affected when
appropriate).

My dilemma is with my PDC's configuration: I currently use pam_smbpass
to do the synching of Samba passwords when the password change occurs
external to Samba.  I don't particularly like this - I'd rather use
something like pam_winbind to do my password changes *through* samba as
opposed to parallel to it.

However, I've had no success in getting winbind to do this while running
on the PDC (although I could join the machine to its own domain - some
trickery there; and get wbinfo to display the correct list of users and
groups - which means that winbind is attaching itself to the PDC
correctly).  It won't, however, do password authentication and changes
correctly.

Any ideas? Advice? 

I had run into pam_smb (pam_domain? pam_ntdom?) earlier, which
supposedly could do this for me, but IIRC it wasn't being maintained,
and it was pretty buggy.

Best

Diego

PS/ If you want copy of my configs, let me know and I'll e-mail them to
you directly.