[Samba] PAM, PDC and Winbind
abartlet at samba.org
Tue Dec 31 22:28:01 GMT 2002
On Mon, 2002-12-16 at 07:56, Diego Rivera wrote:
> Hello all,
> I currently have the following setup working nicely:
> A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and
> /etc/shadow when appropriate) correctly - either when changing them
> through Samba (samba has PAM support enabled and working) or through
> normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap,
> Several other Linux machines, running Samba, using winbind/pam_winbind
> (NOT nss_winbind), and nss_ldap to authenticate against the PDC.
> Using pam_winbind to sync passwords allows me to exploit the fact that
> the Samba processes in the PDC does sync the LDAP and Samba passwords
> for me. Avoiding nss_winbind allows me to conserve the userid's stored
> in LDAP and reuse them throughout the network, without suffering from
> the winbind limitation of the "first-come, first-served" userid
> assignment. Windows machines do not, of course, suffer from this.
> Basically, Samba is just the auth/password change mechanism for my
> client machines (local unix passwords are also affected when
> My dilemma is with my PDC's configuration: I currently use pam_smbpass
> to do the synching of Samba passwords when the password change occurs
> external to Samba. I don't particularly like this - I'd rather use
> something like pam_winbind to do my password changes *through* samba as
> opposed to parallel to it.
> However, I've had no success in getting winbind to do this while running
> on the PDC (although I could join the machine to its own domain - some
> trickery there; and get wbinfo to display the correct list of users and
> groups - which means that winbind is attaching itself to the PDC
> correctly). It won't, however, do password authentication and changes
> Any ideas? Advice?
Yes, this all works - I use exactly this setup. What you need to do is
set 'winbind use default domain', so that pam_winbind uses the 'right'
usernames etc. (ie, they don't need a domain\ prefix)
This requires Samba 3.0 to operate correctly - the 2.2 implementation is
an artifact of a code merge, as is not complete. Also look at the 'ldap
password change' option in 3.0 - it might work better than 'unix
password sync' stuff.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021231/d11643cd/attachment.bin
More information about the samba