[Samba] Winbind running on Samba PDC for shell logins

malk at sidehack.sat.gweep.net malk at sidehack.sat.gweep.net
Sun Dec 5 22:52:16 GMT 2004

Hello all-

I setup a Samba 3.0.8 PDC w/ simple tdb backend and it's working great.
The full RPC based printing w/ drivers installed on the samba server
is sweet.

I know down the line I may want the windows users to be able to possibly
authenticate for other services like e-mail (via Pop or a webmail type
service perhaps) or shell logins on the same PDC.  I didn't want to
have unix vs. windows passwords to worry about.

I found several options (unix password sync w/ passwd program, several
pam modules that might work), but I was most intrigued with the idea
of running winbind along with pam_winbind.so configured on the PDC, but
forcing it not to map UIDs or GIDs and simply only provide the authentication
but against itself and not some remote windows or samba PDC.

I scoured (spelling?) the howto, google, etc. and have never found anyone
using winbind w/ security = USER and domain logons = yes, and having
the PDC join it's own domain so winbind could do it's thing.  So I
did some testing.

So I did this:

     winbind enum users = no
     winbind enum groups = no
     winbind use default domain = yes

The use default domain is to guarantee unix users don't have a domain
component in their name and I don't have any trusts or anything. 
Probably didn't need winbind enum [users|groups] because when winbind
starts and there's no id ranges supplied, it keeps itself as only an
auth proxy which is all I want anyway.

Left "files" only in nsswitch.conf (winbind won't map or provide uid/gid
mappings, enforced even more by not having nsswitch bother w/ winbind).

Joined my PDC box to his own domain w/ net rpc join -U root
(kinda funny seeing a machine account in /etc/passwd for itself)

Setup /etc/pam.d/common-auth, session, acct w/ lines similar to

auth	sufficient	pam_winbind.so
auth	required	pam_unix.so

Fired up winbind and voila, my windows users w/ disabled passwords in
/etc/passwd can login to the PDC via their windows password stored
in the tdb backend.  As they change their password on windows, only
one actual password changes as a result.  Seems nice and clean.

So my question is are there any disadvantages to running this way?
i.e. would I be better off not bothering w/ winbind and instead use
unix password sync ??  Or is there something I haven't thought of that is

I personally like winbind better than anything else I found because it
just seems to make more sense to me to have one password actually
stored since linux auth via winbind works so well.  I've just never
used winbind except as a means to better integrate a linux box w/ a
windows PDC (both active dir (ads) and flat NT domains (rpc)).  Can
any of you that understand samba's internals really well think of
any "gotchas" I could avoid by use something else?  I didn't test out
unix password sync, but I'm confident it will solve my problem equally
as well.

Thanks for any thoughts,

Eric Malkowski

More information about the samba mailing list