[Samba] Problems authentication with NT PDCs in security = se rver (was security = user)

Collins, Kevin KCollins at nesbittengineering.com
Thu Nov 7 22:25:51 GMT 2002


James:

(Again someone correct me if I'm wrong)

PAM allows local access to the Samba machine as well as authenticating
Samba users.  Winbind *only* allows for Samba access.  This is why I
chose *not* to use PAM in my setup.  I don't want normal users to have
local logon access to *MY* servers.  <evil grin>

With Winbind, you don't need PAM at all.  If you're planning on using
PAM you *will* have to have local Unix accounts.  These local accounts
can be generated using both Winbind and PAM together, but it's a process
that I don't remember right now.

At any rate, I don't think you're going to be able to achieve what your
after.  I think it'll be a one or the other kinda thing - either adding
the machine to the domain, or adding local user accounts.

Kevin

> -----Original Message-----
> From: James Lamanna [mailto:jamesl at appliedminds.net]
> Sent: Thursday, November 07, 2002 4:55 PM
> To: 'Collins, Kevin'
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Problems authentication with NT PDCs in 
> security =
> server (was security = user)
> 
> 
> The interesting part is that PAM nor the SMB auth plugin for Apache
> requires you to be a member of the domain.
> 
> However, the caveat with pam_smb_auth is that you have to have a unix
> account for every windows user you want to authenticate.
> 
> I guess the behavior I'm trying to achieve is the one 
> achieved with the
> Apache plugin:
> 1) Doesn't require you to be a member of the domain
> 2) Doesn't require unix accounts for windows users.
> 
> --James
> 
> -----Original Message-----
> From: Collins, Kevin [mailto:KCollins at nesbittengineering.com] 
> Sent: Thursday, November 07, 2002 1:50 PM
> To: 'James Lamanna'; Collins, Kevin
> Subject: RE: [Samba] Problems authentication with NT PDCs in 
> security =
> server (was security = user)
> 
> 
> James:
> 
> My best guess (someone correct me if I'm wrong) is that you'll need to
> have the Samba machine as a member of the NT/2000 domain before it can
> authenticate against it.
> 
> This is a Windows issue - and it's by design.  Adding a machine to the
> domain creates the machine trust.  The NT/2000 DCs will only 
> share user
> account info with other members (or machines that it trusts). 
>  I have a
> Windows 2000 laptop that I keep in "Workgroup" mode.  I can't retrieve
> *any* info about the domain computers or the Domain itself 
> while in this
> mode.
> 
> Other than adding the machine to the domain, you're probably stuck
> adding Unix users - and keeping up with password changes.
> 
> Kevin
> 
> > -----Original Message-----
> > From: James Lamanna [mailto:jamesl at appliedminds.net]
> > Sent: Thursday, November 07, 2002 4:40 PM
> > To: 'Collins, Kevin'
> > Subject: RE: [Samba] Problems authentication with NT PDCs in
> > security =
> > server (was sercurity = user)
> > 
> > 
> > Well as you can see, I'm getting a funky error when I try to do it 
> > anyways.
> > 
> > And I don't know if the Windows Box administrator will give me 
> > permission.
> > 
> > 
> > -----Original Message-----
> > From: Collins, Kevin [mailto:KCollins at nesbittengineering.com]
> > Sent: Thursday, November 07, 2002 1:24 PM
> > To: 'James Lamanna'; samba at lists.samba.org
> > Subject: RE: [Samba] Problems authentication with NT PDCs in 
> > security =
> > server (was sercurity = user)
> > 
> > 
> > > Is it possible to get samba to authenticate from the 
> Domain without
> > > adding a machine account to the domain (using smbpasswd -j ...)
> > 
> > I've always had to add the machine to the domain.  Any 
> reason why you
> > *don't* want to?
> > 
> > Kevin C.
> > 
> > > Also, when I tried to add the machine to the domain anyways, I 
> > > received an interesting error:
> > > "Set net rpc join for this functionality"
> > > 
> > > Thanks.
> > > --James
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > 
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2270 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20021107/755b25d6/smime.bin


More information about the samba mailing list