[Samba] Winbindd+W2K+NT+Pam+Samba 2.2.3a+Solaris
Gerald Carter
jerry at samba.org
Thu May 16 05:27:03 GMT 2002
On Tue, 14 May 2002, Adcock, Christine M. wrote:
> accounts if we can help it. When I read through the man pages and HowTo
> documentation it at first seemed that this was possible using Winbindd and
> PAM. Upon closer investigation it looks like the users must have UNIX
> accounts and smbpasswd accounts to enable the challenge/response
> authentication - is this true?
No. Winbind's PAM and NSS module will take care this for you.
> I am also confused as to whether PAM is relevant since the majority of
> documentation states that it only works with clear-text passwords and
> W2K and NT require passwords to be encrypted. Can someone elaborate on
> this relationship please? I am about ready to give up and say that this
> cannot be done.
If Samba authenticates a user via PAM, then clear text passwords must be
used. However, the pam_winbind module is for use by applications
other than Samba so you can safely use "encryt passwords = yes".
> BTW - I can run through the DIAGNOSIS.txt tests successfully up to Test 7
> and the user accounts I am testing with are valid in AD. In addition, I have
> read through many of the mailing list postings and the error I get back on
> test seven is the same as many others - NT_STATUS_LOGON_FAILURE, the log
> says - auth2 challenge failed - NT_STATUS_ACCESS_DENIED.
Did you add the Samba box to the domain? Ahh...You should probably
try 2.2.4 since there was a related big-endian related bug fixed
between 2.2.3a and 2.2.4 related to joining a domain.
cheers, jerry
---------------------------------------------------------------------
Hewlett-Packard http://www.hp.com
SAMBA Team http://www.samba.org
-- http://www.plainjoe.org
"Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2
--"I never saved anything for the swim back." Ethan Hawk in Gattaca--
More information about the samba
mailing list