[olug] samba qs - pswds and trust?
Brian Wiese
bwiese at cotse.com
Sat Mar 15 01:14:44 UTC 2003
On Fri, 14 Mar 2003 07:44:10 -0600
ktb <xyf at nixnotes.org> wrote:
|On Thu, Mar 13, 2003 at 11:56:00PM -0600, Brian Wiese wrote:
|> see inline... sidenote: anyone setup Samba 2.2 with LDAP yet?
|>
|> On Thu, 13 Mar 2003 13:58:18 -0600
|> ktb <xyf at nixnotes.org> wrote:
|>
|> |On Thu, Mar 13, 2003 at 09:53:21AM -0600, Brian Wiese wrote:
|> |> I am in the process of setting up an windows network domain with
|> |> Samba 2.2(debian woody) as the primary domain controller[1] and many
|> |> Win98 clients. Just a couple of the questions I've been trying to
|> |> figure out lately are, wondering if anyone on the list has
|> |> experienced this...
|> |>
|> |> Q 1.
|> |> Can the PAM modules cracklib or passwdqc be used to test the
|> |> security of smbpasswds? I honestly haven't tried this yet, so I am
|> |> just looking for a quick answer before I start messing with
|> |> (learning) PAM configs. I have set in smb.conf on the PDC: security
|> |> = user encrypted passwords = yes
|> |> obey pam restrictions = yes
|> |> pam password change = yes
|> |>
|> |
|> |Take a look at the pam section in smb.conf for this. Pam is only used
|> |if you use plain text passwords. Pam is ignored if encrypted
|> |passwords are used.
|>
|> (I will play with this more when I get a chance...)
|>
|> That is what I thought at first, but I guess I am confused -- as using
|> PAM for say 'password' enforcement and then sending the passwords plain
|> text on the network kinda defeats the purpose. Anything above Win9x it
|> sounds'needs' to use encrypted passwords to join a domain.
|>
|> It seems like 'encrypted passwords = yes' only disables the
|> 'authentication'[1] services of PAM. I imagine the 'account',
|> 'session', and 'password' services should still work. Or does it only
|> pertain to'account' and 'session'??
|>
|
|The account/password stuff still works. Both the smbpasswd file and
|/etc/passwd have to be in agreement.
Is there an easy way to do this for when a user changes their UNIX
password so that it matches/updates their samba password as well? I heard
it should be scripted somehow, or can this be done with PAM? (I'm
confused) I have it already set for when a user changes their samba
password that their UNIX password is changed as well, "unix password sync
= yes".
<snip>
|I understand the two PDCs are on different networks but would it be
same network, different domains
|workable to set up just one to be the PDC? I don't know if Samba plays
|well with NT4's authentication or not but if it does change your samba
|security to -
|
|security = server
|and then set
|password server = NT4-box
|
|I know you can set up samba to authenticate off another linux server
|running as a PDC.
|
|Just dump the NT box ;)
yep, that's the plan. =)
Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart
------------------------------------------------------
This is not about Napster or DVDs. It's about your Freedom.
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
More information about the OLUG
mailing list