[Samba] Samba PDC without encryption

Sam Leathers saml at astro.psu.edu
Thu Oct 25 17:20:10 GMT 2007

I setup a working PDC, with exception of one major issue:

These are the two relevant lines:
   encrypt passwords = no
   obey pam restrictions = yes

If I set encrypt passwords = yes I can join the domain and login and 
everything works perfectly from windows xp sp2.

However; pam doesn't work with encrypt passwords, so I can't use encrypt 
passwords in authenticating users.

The end goal is to authenticate windows machines to the same auth 
servers we have in the linux/mac/solaris realm, which is an ldap server 
(or NIS for solaris), that uses kerberos for password authentication. 
I've heard it's possible to get windows to authenticate to the kerberos 
server through samba, but windows expects the kerberos server to have an 
NT hash to authenticate to, which would break the rest of the network, 
so I went down the pam path, and got that working fine in pam for 
accessing shares, but kept getting a "this user is unauthorized to login 
to this machine" error when I tried to join the domain as root (which 
will authenticate through pam files just fine for accessing shares). I 
also have root with the same password encrypted, via smbpasswd, and when 
I set encypt passwords = yes, the domain works like a charm, for root 
and my other user I manually created accounts for.

Has anyone attempted to do something like this? I know it's kinda 
stretching the limits of samba (or more likely the flexibility of 
windows), but if I could make this work, everyone in the department 
would only have one password to worry about, and to allow someone to 
login to windows machines, all I'd have to do is add them to the 
winusers group.

Our current setup is a windows 2000 server that is completely 
disconnected from the rest of the network that I'm trying to retire. If 
it comes down to it, I could keep this new server as a separate entity 
on the network as well, but I'd much rather get this to work.


Sam Leathers
Penn State University
Astronomy & Astrophysics Department
520 Davey Lab

More information about the samba mailing list