On Mon, 2002-12-16 at 07:56, Diego Rivera wrote: > Hello all, > > I currently have the following setup working nicely: > > A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and > /etc/shadow when appropriate) correctly - either when changing them > through Samba (samba has PAM support enabled and working) or through > normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap, > etc.). > > Several other Linux machines, running Samba, using winbind/pam_winbind > (NOT nss_winbind), and nss_ldap to authenticate against the PDC. > > Using pam_winbind to sync passwords allows me to exploit the fact that > the Samba processes in the PDC does sync the LDAP and Samba passwords > for me. Avoiding nss_winbind allows me to conserve the userid's stored > in LDAP and reuse them throughout the network, without suffering from > the winbind limitation of the "first-come, first-served" userid > assignment. Windows machines do not, of course, suffer from this. > > Basically, Samba is just the auth/password change mechanism for my > client machines (local unix passwords are also affected when > appropriate). > > My dilemma is with my PDC's configuration: I currently use pam_smbpass > to do the synching of Samba passwords when the password change occurs > external to Samba. I don't particularly like this - I'd rather use > something like pam_winbind to do my password changes *through* samba as > opposed to parallel to it. > > However, I've had no success in getting winbind to do this while running > on the PDC (although I could join the machine to its own domain - some > trickery there; and get wbinfo to display the correct list of users and > groups - which means that winbind is attaching itself to the PDC > correctly). It won't, however, do password authentication and changes > correctly. > > Any ideas? Advice?
Yes, this all works - I use exactly this setup. What you need to do is set 'winbind use default domain', so that pam_winbind uses the 'right' usernames etc. (ie, they don't need a domain\ prefix) This requires Samba 3.0 to operate correctly - the 2.2 implementation is an artifact of a code merge, as is not complete. Also look at the 'ldap password change' option in 3.0 - it might work better than 'unix password sync' stuff. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
