Hello all, I currently have the following setup working nicely:
A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and /etc/shadow when appropriate) correctly - either when changing them through Samba (samba has PAM support enabled and working) or through normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap, etc.). Several other Linux machines, running Samba, using winbind/pam_winbind (NOT nss_winbind), and nss_ldap to authenticate against the PDC. Using pam_winbind to sync passwords allows me to exploit the fact that the Samba processes in the PDC does sync the LDAP and Samba passwords for me. Avoiding nss_winbind allows me to conserve the userid's stored in LDAP and reuse them throughout the network, without suffering from the winbind limitation of the "first-come, first-served" userid assignment. Windows machines do not, of course, suffer from this. Basically, Samba is just the auth/password change mechanism for my client machines (local unix passwords are also affected when appropriate). My dilemma is with my PDC's configuration: I currently use pam_smbpass to do the synching of Samba passwords when the password change occurs external to Samba. I don't particularly like this - I'd rather use something like pam_winbind to do my password changes *through* samba as opposed to parallel to it. However, I've had no success in getting winbind to do this while running on the PDC (although I could join the machine to its own domain - some trickery there; and get wbinfo to display the correct list of users and groups - which means that winbind is attaching itself to the PDC correctly). It won't, however, do password authentication and changes correctly. Any ideas? Advice? I had run into pam_smb (pam_domain? pam_ntdom?) earlier, which supposedly could do this for me, but IIRC it wasn't being maintained, and it was pretty buggy. Best Diego PS/ If you want copy of my configs, let me know and I'll e-mail them to you directly. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba