Samba/HP-UX question.

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Thu Jan 17 08:26:17 GMT 2002 

Hi Eric,
Some thoughts below,
hope it helps,
Don

-----Original Message-----
From: Ladner, Eric (Eric.Ladner) [mailto:Eric.Ladner at chevrontexaco.com]
Sent: Wednesday, January 16, 2002 4:43 PM
To: 'samba at lists.samba.org'
Subject: Samba/HP-UX question.



Couple of questinos.. I've poked around the web a bit and the Samba
documentation and haven't really found a good answer.

Given an HP-UX 11.0 system and the latest 2.X Samba distro, here's what I'm
trying to do:

Use Samba (possibly with winbind?) functionality to allow authentication via
a NT PDC.
^^^^^^The latest 2.2 CVS has support for building samba --with-pam and
--with-winbind on HP-UX 11.0.

The problem I'm having visualizing is how that authentication happens.  At
the system level, all of these things go through getpwent (or the
secure/shadow version of that call).  How exaclty can that call be hijacked
by Samba and redirected to an NT domain for authentication?  

^^^^^^getpwent does not actually do any AUTHENTICATION.  all it does
is search the various databases it is directed to via /etc/nsswitch.conf for
entrys and the program then compares its username until it finds an entry
that matches.
Part of the entry that matches (depending on whether you are on a 'secure'
system with shadow password or not) will be the oneway encrypted password
for that entry, and it would be up to the program to take the cleartext
password for that user that was passed into the program and use the same
1-way encryption algorythm (generally crypt() or bigcrypt()) to encrypt it
and compare the two.  This is assuming NOT using PAM.

The basic problem is that we have an application (call it X) that requires a
LOT of users and concequently a LOT of password changes, corporate IT
password standards that the application dosn't support, etc.. It's messy.  

What we'd like to see is that the username/password that the user types in
to the application interface is authenticated via a PDC rather than the
/etc/passwd file.  

This application does NOT use PAM.  This I think has been my roadblock up to
now.  

Does the getpwent code have flexibility?  I.e. can something be put in
resolv.conf to allow for alternate resolution for passwords?  Did I miss a
document somewhere?
^^^^if you use winbind, and set up /etc/nsswitch.conf so that it uses 
files (ie /etc/passwd) AND winbind, then a getpwent request would be able to
return a domain/username entry from your NT domain controller, but since NT
does not send passwords accross the wire (not even encrypted passwords), but
instead uses a challenge/response method to validate users/passwords, there
will be no 'password' field returned for you to check.  So your program
would HAVE to be modified to use pam_authenticate() to actually do the
validation, or if you didn't want to do that, you could, as andrew
suggested, hack around and try to interface directly to the winbindd daemon
itself to get the authentication done...


Sorry for the rambling email, but I'm not sure where to start at the moment.

Thanks,

Eric Ladner
ChevronTexaco


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list