[KLUG Members] Samba

Adam Williams members@kalamazoolinux.org
04 Dec 2002 20:56:10 -0500

Previous message: [KLUG Members] Samba
Next message: [KLUG Members] Dynamic HTML/HTTP question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>Just for the information, is hacking Win98 registry to use unencrypted
>>passwords that big a deal in the long run.  Does Win98 need to have
>>its passwords encrypted?  If not, then is it not better to hack Win98
>>and save the pain of setting up encrypted passwords in Samba.  Or at
>>least to me it is a pain. Just a question as I muddle through a Samba
>>configuration.  Note: My current configuration worked with a Win2k
>>Pro.-- 
>Encryptred passwords in Samba aren't hard at all... The big thing to
>remember you have to have a linux system account (even if you disable
>the shell for it) AND a Samba account. Samba checks against the
>linux system account via PAM to verify the person is allowed to access
>the system. 

By default it checks NSS, not PAM, hence the need for a POSIX account. 
PAM only comes into play if you built Samba with --with-pam and you have
the "obey pam restrictions = yes" directive set.  This will check the
PAM account and session stacks for permissibility, but PAM is never used
in the *authentication* process if "encrypt passwords = yes" is set.

If your a member of a NT/CIFS domain you can set NSS to use "winbindd"
which will manifest virtual POSIX accounts for users in the domain SAM,
obviating the need to maintain parallel accounts.

Or you can use LDAP SAM + LDAP NSS which collapses the SAM/POSIX into a
single structure.

If you have any more than a few users the above options are easier to
maintain, IMHO,  but are initially more work.

>You *DO* need to set passwords manually for the Samba box. Use
>smbadduser to create the Samba account and smbpasswd to set the password
>for the user. You *CAN* also use the SWAT utility (via a web browser) to
>do this which is *MUCH* simpler.

You can use the "update encrypted = yes" directive to have Samba
silently build the encrypted password database for you as clear-text
users login.

There is also "pam_smbpass", which when in migrate mode, will silently
update the samba password when a user logs in to any PAM service (IMAP,
SSH, etc...)  This can also propagate any password changes made via the
"passwd" command (or anything changing the password via PAM, which is
all the passwd command is doing) into the SAM.  If password sync is also
setup from Samba -> PAM this welds the two systems together.

Previous message: [KLUG Members] Samba
Next message: [KLUG Members] Dynamic HTML/HTTP question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]