[Samba] Samba PDC + Winbind

Buchan Milne bgmilne at cae.co.za
Mon Jun 24 03:28:02 GMT 2002


> Message: 20
> From: Diego Rivera <lrivera at racsa.co.cr>
> To: samba at lists.samba.org
> Date: 22 Jun 2002 03:45:32 -0400
> Subject: [Samba] Samba PDC + Winbind
> 
> Hello all.
> 
> First, a little background...
> 
> I recently downloaded samba-*-ldap-2.2.5-2mdk , installed on Mandrake
> 8.2 and got everything working fine.
> 
> I have LDAP installed for "single sign-on" support.  I can use LDAP to
> authenticate other Linux boxes, and have Samba as a PDC for some Win2000
> boxes - all working fine.  Linux users are the same as PDC users, except
> for their passwords (obviously).  smbpasswd data has been added to the
> appropriate LDAP users (by use of the sambaAccount object class for
> LDAP), and tools that allow me to add the necessary attributes (see
> directory_manager).
> 
> It all works fine and dandy except for 3 things:
> 
> 1) Can't change a Linux password from a Win2000 box (unix password sync
> + pam password change don't work)

Then you probably need to try and fix your unix password sync and your 
passwd chat for LDAP. See below.

> 
> 2) Can't change a SMB password using the passwd command *CLEANLY* :
> although I was able to get it done, I could never get PAM to NOT ask me
> the "current password" twice - once for LDAP and once for SMB - except
> for root, which does only work with one password.  For example: this is
> a typical dump of the passwd command's output run as a regular user: 
> The idea is to make password changes as transparent as possible (i.e.,
> type your old, type your new, repeat your new, done!).
> 
> $ passwd
> Enter login(LDAP) password: <current-LDAP/LINUX-password>
> <some acceptance message I keep forgetting>
> Current SMB password: <current-PDC-password>
> Enter new global password: <new-password-for-both-PDC-and-LDAP/LINUX>
> Retype new global password:  <new-password-for-both-PDC-and-LDAP/LINUX>
> <...some messages indicating success>
> 
> PAM is using pam_smbpass.so for PDC passwords, and pam_ldap.so for
> LDAP/Linux passwords.

Where is this being run from? I assume you want linux desktop users to 
be able to change passwords once and have both changed? Look into the 
idealx LDAP scripts, which can replace the passwd binary AFAIK. They 
should be in examples/LDAP/smb-ldap in the samba-doc RPM.

> 
> 3) I don't like the fact that I had to use pam_smbpass.so in PAM to do
> authentication and password changes - this brings up race conditions
> between the other Samba machines in the network.  Although this would
> work, and would be the "equivalent" of magically synchronizing all the
> smbpasswd files in all the Samba installations, it's not a clean
> solution, as I'd rather have the PDC do all the authentication and
> password updates, and thus eliminate race conditions derived from
> multiple Samba servers accessing the same password database.
http://ranger.dnsalias.com/mandrake/mandrake8.2/pam_smb-1.1.6-3mdk.i586.rpm
AFAIK, pam_smbpass only works on the local passdb, which is why there is 
no point using it on clients.

> 
> Which brings me to Winbind...
> 
> My choice was to elminate the use of LDAP for authentication, and do
> everything through pam_smbpass.  This works fine for all the machines in
> the network, except for my discomfort with point 3 above.  By doing
> this, I can truly unify logons, albeit some authentication is not
> synched (namely, logon to LDAP proper, as it does not use the PDC or PAM
> for authentication, instead using the Linux password, which coincides
> with the LDAP password - others may also be affected, but I haven't
> explored that yet, as I'm still experimenting).
> 
> Thus, I have single sign-on by all Linux and Win2000 workstations, and
> all "useful" passwords are synchronized satisfactorily (see above for
> clarification on "useful").
> 
> I next thought of using winbind to do all that pam_smbpass does, such
> that authentication and password change would be done through the PDC. 
> I have no need to retrieve user lists from winbind as I know that the
> PDC is samba, and thus has LDAP somewhere, and thus can use LDAP instead
> of winbind through nss_ldap.so (for nsswitch).
> 
> But winbind won't work with Samba PDC's.  I get NT_STATUS_PDC_NOT_FOUND
> (or something) in the winbind log.
> 
> And, finally - the simple question is: does winbind work with Samba
> PDC's (as of 2.2.5) and thus I have a configuration issue, or does it
> not, and thus I need to seek alternatives.
> 
> Any suggestions / success stories are welcome.
> 

What we have been doing for about a year is using LDAP for group/passwd 
via nss_ldap, and pam_smb for authentication:

http://ranger.dnsalias.com/mandrake/mandrake8.2/pam_smb-1.1.6-3mdk.i586.rpm

(It's gone into cooker also, so will be in the next release).

It doens't solve your problem with changing passwords for linux users 
with passwd, but you could do that with a wrapper, which runs "smbpasswd 
-r". At the moment the only people who run linux desktops ttm are 
command-line capable, but this might change soon;-)
http://ranger.dnsalias.com/mandrake/mandrake8.2/pam_smb-1.1.6-3mdk.i586.rpm
There really needs to be a pam module which change a domain password, so 
that it can be used from other password changing apps (like in KDE).

> On a separate, unrelated note: does anyone know how to "modularize"
> LDAP-proper authentication, or if it's even possible? (i.e., logon to
> the LDAP server using PAM).
> 
> Best wishes, and hoping I didn't confuse anyone with this!
> 


This is from a message earlier regarding unix password sync. You may 
want to try it.

> 
> it works! thanks to the whole list and specially to the persons who gave me
> tips!
> in my case both, the asterisk and the quotation mark, were needed to get it
> work! the dot at the end of the line isn't needed, but the blank and
> carriage return must be set carefully! so, the following line works (for
> suse8.0, samba2.2.4 and a shellscript that calls ldappasswd as root):
> 
>    passwd chat = "New*password:* %n\n \nRe*enter*new*password:* %n\n
> \nResult:*Success*(0)\n* "


Please give me feedback on this if you succeed, and I will put example 
configs in the default smb.conf that ships with mandrake samba RPMs. I 
haven't gotten around to switching to LDAP yet on our DC.

Regards,
Buchan

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7





More information about the samba mailing list