[olug] samba qs - pswds and trust?

ktb xyf at nixnotes.org
Fri Mar 14 13:44:10 UTC 2003 

On Thu, Mar 13, 2003 at 11:56:00PM -0600, Brian Wiese wrote:
> see inline... sidenote: anyone setup Samba 2.2 with LDAP yet?
> 
> On Thu, 13 Mar 2003 13:58:18 -0600
> ktb <xyf at nixnotes.org> wrote:
> 
> |On Thu, Mar 13, 2003 at 09:53:21AM -0600, Brian Wiese wrote:
> |> I am in the process of setting up an windows network domain with Samba
> |> 2.2(debian woody) as the primary domain controller[1] and many Win98
> |> clients. Just a couple of the questions I've been trying to figure out
> |> lately are, wondering if anyone on the list has experienced this...
> |> 
> |> Q 1.
> |> Can the PAM modules cracklib or passwdqc be used to test the security
> |> of smbpasswds?  I honestly haven't tried this yet, so I am just looking
> |> for a quick answer before I start messing with (learning) PAM configs. 
> |> I have set in smb.conf on the PDC: security = user
> |> encrypted passwords = yes
> |> obey pam restrictions = yes
> |> pam password change = yes
> |> 
> |
> |Take a look at the pam section in smb.conf for this.  Pam is only used
> |if you use plain text passwords.  Pam is ignored if encrypted passwords
> |are used.
> 
> (I will play with this more when I get a chance...)
> 
> That is what I thought at first, but I guess I am confused -- as using PAM
> for say 'password' enforcement and then sending the passwords plain text
> on the network kinda defeats the purpose.  Anything above Win9x it sounds
> 'needs' to use encrypted passwords to join a domain.
> 
> It seems like 'encrypted passwords = yes' only disables the
> 'authentication'[1] services of PAM.  I imagine the 'account', 'session',
> and 'password' services should still work.  Or does it only pertain to
> 'account' and 'session'??
> 

The account/password stuff still works.  Both the smbpasswd file and
/etc/passwd have to be in agreement.

<snip> 
 
> |> Q 2.
> |> There is also a WinNT4 PDC on this network for a different domain which
> |> many of the Win98 clients belong to.  On the Samba PDC I've tried
> |> setting up 'allow trusted domains = yes'[2] in the smb.conf, added a
> |> unix and samba machine (trust) account for the WinNT4 PDC -- and thats
> |> it?  Anyhow, it doesn't work.  That should allow any users of the NT4
> |> domain to access resources on my Samba domain.  Is this at all
> |> possible, or must the trust be between NT4/2k domains, and samba can
> |> only act as a member server?  I'm not sure how else to specifiy which
> |> domains to trust either.  The samba pdc documentation[1] sounds like
> |> this is not/no longer possible, but the smb.conf does not say this
> |> function is depricated or anything.  How is'allow trusted domains'
> |> supposed to work?
> |
> |I found security_level.{txt|html} or DOMAIN_MEMBER.{txt|html} to be real
> |helpful.  You will find the two files in the source code.  
> |
> |Also take a look at "man smb.conf" there is a section dedicated to "allow
> |trusted domains."  You say the WinNT4 PDC is on a different network.
> |If the two PDCs are on different subnets WINS has to be enabled IIRC.  
> |
> |I've not tried merging two networks with WinNT4 in the mix so can't
> |really answer your questions directly.
> |hth,
> |kent
> 
> I've given up on this, as I sadly don't believe that it is possible.  I
> reread over the line in the smb.conf file, and I remembered that I cannot
> run this feature on a PDC since the PDC is set to 'security = user' and so
> it would only be effective on a member server in a domain.  Also the Samba
> PDC Howto[2] says that this is not possible among other things.  Seems
> pretty limited so far, hopefully Samba 3.0[3] or TNG[4] will have more
> features to support.
>

I understand the two PDCs are on different networks but would it be
workable to set up just one to be the PDC?  I don't know if Samba plays
well with NT4's authentication or not but if it does change your samba
security to -

security = server
and then set
password server = NT4-box

I know you can set up samba to authenticate off another linux server
running as a PDC.

Just dump the NT box ;)
<snip>

hth,
kent

-- 
To know the truth is to distort the Universe.
                      Alfred N. Whitehead (adaptation)

More information about the OLUG mailing list