samba - May 2002 - Winbindd+W2K+NT+Pam+Samba 2.2.3a+Solaris

Hi -

I have been attempting to set up Samba to do authentication against a
Windows 2K Domain Controller as well as NT PDCs. I have installed Winbindd,
Samba, and compiled with PAM and updated my smb.conf, pam.conf file and the
other stuff in the installation guide. The objective of all of this is to
allow an application running on top of Solaris to authenticate the users
logging into the application against an Active Directory or NT domain. 

We do not want to maintain any of these users as UNIX accounts or even Samba
accounts if we can help it. When I read through the man pages and HowTo
documentation it at first seemed that this was possible using Winbindd and
PAM. Upon closer investigation it looks like the users must have UNIX
accounts and smbpasswd accounts to enable the challenge/response
authentication - is this true? 

I am also confused as to whether PAM is relevant since the majority of
documentation states that it only works with clear-text passwords and W2K
and NT require passwords to be encrypted. Can someone elaborate on this
relationship please? I am about ready to give up and say that this cannot be
done.

BTW - I can run through the DIAGNOSIS.txt tests successfully up to Test 7
and the user accounts I am testing with are valid in AD. In addition, I have
read through many of the mailing list postings and the error I get back on
test seven is the same as many others - NT_STATUS_LOGON_FAILURE, the log
says  - auth2 challenge failed - NT_STATUS_ACCESS_DENIED.

Thanks in advance for your help - 

Christine Adcock
Content Management Team

BV Solutions Group, Inc.
10950 Grandview Drive
Overland Park, Kansas 66210
(913)458-2332
mailto:adcockcm@bvsg.com <mailto:adcockcm@bvsg.com>

On Tue, 14 May 2002, Adcock, Christine M. wrote:
> accounts if we can help it. When I read through the man pages and HowTo
> documentation it at first seemed that this was possible using Winbindd and
> PAM. Upon closer investigation it looks like the users must have UNIX
> accounts and smbpasswd accounts to enable the challenge/response
> authentication - is this true? 
No.  Winbind's PAM and NSS module will take care this for you.
> I am also confused as to whether PAM is relevant since the majority of
> documentation states that it only works with clear-text passwords and
> W2K and NT require passwords to be encrypted. Can someone elaborate on
> this relationship please? I am about ready to give up and say that this
> cannot be done.
If Samba authenticates a user via PAM, then clear text passwords must be 
used.  However, the pam_winbind module is for use by applications
other than Samba so you can safely use "encryt passwords = yes".
> BTW - I can run through the DIAGNOSIS.txt tests successfully up to Test 7
> and the user accounts I am testing with are valid in AD. In addition, I
have
> read through many of the mailing list postings and the error I get back on
> test seven is the same as many others - NT_STATUS_LOGON_FAILURE, the log
> says  - auth2 challenge failed - NT_STATUS_ACCESS_DENIED.
Did you add the Samba box to the domain?  Ahh...You should probably
try 2.2.4 since there was a related big-endian related bug fixed
between 2.2.3a and 2.2.4 related to joining a domain.










cheers, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN
0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--