Yup, that certainly works, too, but I think I'll go with the other solution. I can change the "random string" in /etc/shadow to "USEWINBINDAUTH" so that we remember how users are authenticating.
Thanks, Ray -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lebar, Russell J Sent: Thursday, February 09, 2006 7:30 PM To: SunRay-Users mailing list Subject: RE: [SunRay-Users] pam.conf with winbind support > -----Original Message----- > From: [EMAIL PROTECTED] > > Update: > > I've come up with a not-so-elegant solution to my problem. > > In case there is something in my pam.conf that doesn't like > seeing "johndoe:*LK*:::::::" in /etc/shadow, I've changed the > "*LK*" to a random 14-character string for all users and > disabled password aging. > That way, it'd be nearly impossible for them to guess their > SunRay server password and force them to use their AD domain password. Have you tried using NP for the password field? It indicates that the account has No Password. The old admintool called this option "No password -- setuid only". It's often used for accounts daemons run under. -- Russ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
