[Samba] PAM, PDC and Winbind

Andrew Bartlett abartlet at samba.org
Tue Dec 31 22:28:01 GMT 2002

On Mon, 2002-12-16 at 07:56, Diego Rivera wrote:
> Hello all,
> I currently have the following setup working nicely:
> A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and
> /etc/shadow when appropriate) correctly - either when changing them
> through Samba (samba has PAM support enabled and working) or through
> normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap,
> etc.).
> Several other Linux machines, running Samba, using winbind/pam_winbind
> (NOT nss_winbind), and nss_ldap to authenticate against the PDC.
> Using pam_winbind to sync passwords allows me to exploit the fact that
> the Samba processes in the PDC does sync the LDAP and Samba passwords
> for me.  Avoiding nss_winbind allows me to conserve the userid's stored
> in LDAP and reuse them throughout the network, without suffering from
> the winbind limitation of the "first-come, first-served" userid
> assignment.  Windows machines do not, of course, suffer from this.
> Basically, Samba is just the auth/password change mechanism for my
> client machines (local unix passwords are also affected when
> appropriate).
> My dilemma is with my PDC's configuration: I currently use pam_smbpass
> to do the synching of Samba passwords when the password change occurs
> external to Samba.  I don't particularly like this - I'd rather use
> something like pam_winbind to do my password changes *through* samba as
> opposed to parallel to it.
> However, I've had no success in getting winbind to do this while running
> on the PDC (although I could join the machine to its own domain - some
> trickery there; and get wbinfo to display the correct list of users and
> groups - which means that winbind is attaching itself to the PDC
> correctly).  It won't, however, do password authentication and changes
> correctly.
> Any ideas? Advice? 

Yes, this all works - I use exactly this setup.  What you need to do is
set 'winbind use default domain', so that pam_winbind uses the 'right'
usernames etc.  (ie, they don't need a domain\ prefix)

This requires Samba 3.0 to operate correctly - the 2.2 implementation is
an artifact of a code merge, as is not complete.  Also look at the 'ldap
password change' option in 3.0 - it might work better than 'unix
password sync' stuff.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021231/d11643cd/attachment.bin

More information about the samba mailing list