I had given NIS access to the Windows NT domain users via Samba 1.9.18p3. The Samba gateway worked great when the users on the NT domain had the same username & password on both the NT PDC as well as the NIS. I have now set up Samba 1.9.18.p4 with server security & password sync turned on. The server specified is my NT PDC. Users get full access to the NIS & the NT with single logon & authentication works fine. However the passwords refuse to sync when the user changes his password at either end. I understood from the p4 documentation that this should have worked. Did I understand wrong or have I screwed up somewhere ? Can someone please help ? John Mathews ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
John Mathews wrote:> > I had given NIS access to the Windows NT domain users via Samba > 1.9.18p3. The Samba gateway worked great when the users on the NT domain > had the same username & password on both the NT PDC as well as the NIS. > I have now set up Samba 1.9.18.p4 with server security & password sync > turned on. The server specified is my NT PDC. Users get full access to > the NIS & the NT with single logon & authentication works fine. However > the passwords refuse to sync when the user changes his password at > either end. > I understood from the p4 documentation that this should have worked. Did > I understand wrong or have I screwed up somewhere ? Can someone please > help ? >No this is not what the password sync code does. The password sync code allows you to get a password change request from a Windows box, and use the plaintext password to then change the users unix password. But the catch is you have to get a password change request - changing the password on the NT domain controller doesn't send a change request to the Samba server on the NIS master, or vica versa. Such a thing can be done however, and I have code embedded in Cygnus's Kerbnet product that will do such a thing. I am currently negotiating with Cygnus to be able to re-release the relevent code portions under the GPL (the problem with Kerbnet is it's a crypto product and such has *massive* US export problems). Hope this helps, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
On Wed, 15 Apr 1998 Jeremy Allison wrote:> ... > > No this is not what the password sync code does. > The password sync code allows you to get a password > change request from a Windows box, and use the plaintext > password to then change the users unix password. > > But the catch is you have to get a password change > request - changing the password on the NT domain > controller doesn't send a change request to the > Samba server on the NIS master, or vica versa. > > Such a thing can be done however, and I have > code embedded in Cygnus's Kerbnet product > that will do such a thing. > > I am currently negotiating with Cygnus to be > able to re-release the relevent code portions > under the GPL (the problem with Kerbnet is it's > a crypto product and such has *massive* US export > problems).Hello Jeremy, Two Questions: 1) Did you have any success in this? 2) In a really old digest (1179 from Wed, 15 Jan 1997) I saw some part of a discussion focussing the same topic. What's about this approach?> From: Don Gaffney <gaffney@emba.uvm.edu> > To: Luke Kenneth Casson Leighton <lkcl@cb1.com> > > ... > > > well, i had a look at jeremy's little DLL for NT, which you add to the > > password change stuff. and how does NT workstation communicate with NT > > setver? by doing a NetUserPasswordChange call (or somesuch call - note > > that msdev says it only works for NT). so, you basically have a system > > which sends _two_ SMB password changes: they _could_ be two NT domains: > > they _could_ be two unix SMB servers... > > ... > > I've played w/ jeremy's little DLL as well. What you're saying is that > this mechanism can (or does) send a NetUserPasswordChange smb packet over > the net to a remote LANMAN server? Yes? > > So this can provide a way to sync passwords changed on NT with a > SAMBA server. OK. This isn't too bad to do, jeremy's DLL could open > a named pipe to SAMBA and SAMBA could do the rest: change the unix > pw file and the smbpasswd file.Thanks, Detlef //// (Q Q) ---------------------------------------------------------------o0o.-(_)-.o0o---- Detlef Lammermann eMail: detlef.lammermann@er.materna.de Dr. Materna GmbH X.400: /G=Detlef/S=Lammermann/O=ER/P=MATERNA/A=UMI-DE/C=DE/ Wetterkreuz 3 Voice: +49 9131 7723-60 D-91058 Erlangen Fax: +49 9131 7723-45