[Samba] Winbind running on Samba PDC for shell logins

[malk at sidehack.sat.gweep.net]

> 
> > Fired up winbind and voila, my windows users w/ disabled passwords in
> > /etc/passwd can login to the PDC via their windows password stored
> > in the tdb backend.  As they change their password on windows, only
> > one actual password changes as a result.  Seems nice and clean.
> >
> > So my question is are there any disadvantages to running this way?
> > i.e. would I be better off not bothering w/ winbind and instead use
> > unix password sync ??  Or is there something I haven't thought of that is
> > better?
> One thing... if you set list of workstations on wich user can login...
> then pam_winbind can't auth users anymore.
> 

Oh wow... that's interesting and good to know.  Thanks.  So it sounds like
you're talking about the windows based workstation access restrictions that
are all stored in the tdb backend  (access rights, or user rights in
the windows based user manager?  I use usermgr for testing so end user admins
get a GUI for user management on samba PDC ).  
i.e. if I setup a windows user to only be able to login to 2 out of my 10
windows workstations, then pam_winbind can't authenticate ANY users
anymore -- or just that one user or some subset of users?

I doubt we'll be restricting what workstations users can login to, but this 
will save some headaches if we try it and have issues.  Thanks again.

This is one reason to favor unix password sync.

I'm wondering if unix password sync will work -- i.e. a normal samba PDC
setup has the windows password encrypted as LM hashes or whatever.  Does
the PDC every able to recover the plain text of XP/2K passwords so it
can use the passwd command as root to set the unix password?

Hopefully this thread will be useful to others too -- thanks for replying.

-E