[Samba] Samba PDC + Winbind

Diego Rivera lrivera at racsa.co.cr
Sat Jun 22 02:57:02 GMT 2002

Hello all.

First, a little background...

I recently downloaded samba-*-ldap-2.2.5-2mdk , installed on Mandrake
8.2 and got everything working fine.

I have LDAP installed for "single sign-on" support.  I can use LDAP to
authenticate other Linux boxes, and have Samba as a PDC for some Win2000
boxes - all working fine.  Linux users are the same as PDC users, except
for their passwords (obviously).  smbpasswd data has been added to the
appropriate LDAP users (by use of the sambaAccount object class for
LDAP), and tools that allow me to add the necessary attributes (see

It all works fine and dandy except for 3 things:

1) Can't change a Linux password from a Win2000 box (unix password sync
+ pam password change don't work)

2) Can't change a SMB password using the passwd command *CLEANLY* :
although I was able to get it done, I could never get PAM to NOT ask me
the "current password" twice - once for LDAP and once for SMB - except
for root, which does only work with one password.  For example: this is
a typical dump of the passwd command's output run as a regular user: 
The idea is to make password changes as transparent as possible (i.e.,
type your old, type your new, repeat your new, done!).

$ passwd
Enter login(LDAP) password: <current-LDAP/LINUX-password>
<some acceptance message I keep forgetting>
Current SMB password: <current-PDC-password>
Enter new global password: <new-password-for-both-PDC-and-LDAP/LINUX>
Retype new global password:  <new-password-for-both-PDC-and-LDAP/LINUX>
<...some messages indicating success>

PAM is using pam_smbpass.so for PDC passwords, and pam_ldap.so for
LDAP/Linux passwords.

3) I don't like the fact that I had to use pam_smbpass.so in PAM to do
authentication and password changes - this brings up race conditions
between the other Samba machines in the network.  Although this would
work, and would be the "equivalent" of magically synchronizing all the
smbpasswd files in all the Samba installations, it's not a clean
solution, as I'd rather have the PDC do all the authentication and
password updates, and thus eliminate race conditions derived from
multiple Samba servers accessing the same password database.

Which brings me to Winbind...

My choice was to elminate the use of LDAP for authentication, and do
everything through pam_smbpass.  This works fine for all the machines in
the network, except for my discomfort with point 3 above.  By doing
this, I can truly unify logons, albeit some authentication is not
synched (namely, logon to LDAP proper, as it does not use the PDC or PAM
for authentication, instead using the Linux password, which coincides
with the LDAP password - others may also be affected, but I haven't
explored that yet, as I'm still experimenting).

Thus, I have single sign-on by all Linux and Win2000 workstations, and
all "useful" passwords are synchronized satisfactorily (see above for
clarification on "useful").

I next thought of using winbind to do all that pam_smbpass does, such
that authentication and password change would be done through the PDC. 
I have no need to retrieve user lists from winbind as I know that the
PDC is samba, and thus has LDAP somewhere, and thus can use LDAP instead
of winbind through nss_ldap.so (for nsswitch).

But winbind won't work with Samba PDC's.  I get NT_STATUS_PDC_NOT_FOUND
(or something) in the winbind log.

And, finally - the simple question is: does winbind work with Samba
PDC's (as of 2.2.5) and thus I have a configuration issue, or does it
not, and thus I need to seek alternatives.

Any suggestions / success stories are welcome.

On a separate, unrelated note: does anyone know how to "modularize"
LDAP-proper authentication, or if it's even possible? (i.e., logon to
the LDAP server using PAM).

Best wishes, and hoping I didn't confuse anyone with this!

Diego Rivera

More information about the samba mailing list