[Samba] Samba PDC without encryption

Ryan Novosielski novosirj at umdnj.edu
Thu Oct 25 18:44:36 GMT 2007

Hash: SHA1

I can tell you that you MUST use encrypted passwords on a PDC. Any
information about this and more is in the docs.

Sam Leathers wrote:
> I setup a working PDC, with exception of one major issue:
> These are the two relevant lines:
>   encrypt passwords = no
>   obey pam restrictions = yes
> If I set encrypt passwords = yes I can join the domain and login and
> everything works perfectly from windows xp sp2.
> However; pam doesn't work with encrypt passwords, so I can't use encrypt
> passwords in authenticating users.
> The end goal is to authenticate windows machines to the same auth
> servers we have in the linux/mac/solaris realm, which is an ldap server
> (or NIS for solaris), that uses kerberos for password authentication.
> I've heard it's possible to get windows to authenticate to the kerberos
> server through samba, but windows expects the kerberos server to have an
> NT hash to authenticate to, which would break the rest of the network,
> so I went down the pam path, and got that working fine in pam for
> accessing shares, but kept getting a "this user is unauthorized to login
> to this machine" error when I tried to join the domain as root (which
> will authenticate through pam files just fine for accessing shares). I
> also have root with the same password encrypted, via smbpasswd, and when
> I set encypt passwords = yes, the domain works like a charm, for root
> and my other user I manually created accounts for.
> Has anyone attempted to do something like this? I know it's kinda
> stretching the limits of samba (or more likely the flexibility of
> windows), but if I could make this work, everyone in the department
> would only have one password to worry about, and to allow someone to
> login to windows machines, all I'd have to do is add them to the
> winusers group.
> Our current setup is a windows 2000 server that is completely
> disconnected from the rest of the network that I'm trying to retire. If
> it comes down to it, I could keep this new server as a separate entity
> on the network as well, but I'd much rather get this to work.
> Sam

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list