[Samba] PAM, PDC and Winbind

Andrew Bartlett abartlet at samba.org
Tue Dec 31 22:28:01 GMT 2002


On Mon, 2002-12-16 at 07:56, Diego Rivera wrote:
> Hello all,
> 
> I currently have the following setup working nicely:
> 
> A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and
> /etc/shadow when appropriate) correctly - either when changing them
> through Samba (samba has PAM support enabled and working) or through
> normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap,
> etc.).
> 
> Several other Linux machines, running Samba, using winbind/pam_winbind
> (NOT nss_winbind), and nss_ldap to authenticate against the PDC.
> 
> Using pam_winbind to sync passwords allows me to exploit the fact that
> the Samba processes in the PDC does sync the LDAP and Samba passwords
> for me.  Avoiding nss_winbind allows me to conserve the userid's stored
> in LDAP and reuse them throughout the network, without suffering from
> the winbind limitation of the "first-come, first-served" userid
> assignment.  Windows machines do not, of course, suffer from this.
> 
> Basically, Samba is just the auth/password change mechanism for my
> client machines (local unix passwords are also affected when
> appropriate).
> 
> My dilemma is with my PDC's configuration: I currently use pam_smbpass
> to do the synching of Samba passwords when the password change occurs
> external to Samba.  I don't particularly like this - I'd rather use
> something like pam_winbind to do my password changes *through* samba as
> opposed to parallel to it.
> 
> However, I've had no success in getting winbind to do this while running
> on the PDC (although I could join the machine to its own domain - some
> trickery there; and get wbinfo to display the correct list of users and
> groups - which means that winbind is attaching itself to the PDC
> correctly).  It won't, however, do password authentication and changes
> correctly.
> 
> Any ideas? Advice? 

Yes, this all works - I use exactly this setup.  What you need to do is
set 'winbind use default domain', so that pam_winbind uses the 'right'
usernames etc.  (ie, they don't need a domain\ prefix)

This requires Samba 3.0 to operate correctly - the 2.2 implementation is
an artifact of a code merge, as is not complete.  Also look at the 'ldap
password change' option in 3.0 - it might work better than 'unix
password sync' stuff.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021231/d11643cd/attachment.bin


More information about the samba mailing list