samba - Jan 2002 - Samba/HP-UX question.

Couple of questinos.. I've poked around the web a bit and the Samba
documentation and haven't really found a good answer.

Given an HP-UX 11.0 system and the latest 2.X Samba distro, here's what
I'm
trying to do:

Use Samba (possibly with winbind?) functionality to allow authentication via
a NT PDC.

The problem I'm having visualizing is how that authentication happens.  At
the system level, all of these things go through getpwent (or the
secure/shadow version of that call).  How exaclty can that call be hijacked
by Samba and redirected to an NT domain for authentication?  

The basic problem is that we have an application (call it X) that requires a
LOT of users and concequently a LOT of password changes, corporate IT
password standards that the application dosn't support, etc.. It's
messy.

What we'd like to see is that the username/password that the user types in
to the application interface is authenticated via a PDC rather than the
/etc/passwd file.  

This application does NOT use PAM.  This I think has been my roadblock up to
now.  

Does the getpwent code have flexibility?  I.e. can something be put in
resolv.conf to allow for alternate resolution for passwords?  Did I miss a
document somewhere?

Sorry for the rambling email, but I'm not sure where to start at the moment.

Thanks,

Eric Ladner
ChevronTexaco

"Ladner, Eric (Eric.Ladner)" wrote:
> 
> Couple of questinos.. I've poked around the web a bit and the Samba
> documentation and haven't really found a good answer.
> 
> Given an HP-UX 11.0 system and the latest 2.X Samba distro, here's what
I'm
> trying to do:
> 
> Use Samba (possibly with winbind?) functionality to allow authentication
via
> a NT PDC.
> 
> The problem I'm having visualizing is how that authentication happens. 
At
> the system level, all of these things go through getpwent (or the
> secure/shadow version of that call).  How exaclty can that call be hijacked
> by Samba and redirected to an NT domain for authentication?
Winbind simply disables all passwords in this case.  
> The basic problem is that we have an application (call it X) that requires
a
> LOT of users and concequently a LOT of password changes, corporate IT
> password standards that the application dosn't support, etc.. It's
messy.
> 
> What we'd like to see is that the username/password that the user types
in
> to the application interface is authenticated via a PDC rather than the
> /etc/passwd file.
> 
> This application does NOT use PAM.  This I think has been my roadblock up
to
> now.
And so it shal remain.  If you have the sources for the app you could
use the winbind interface directly, without going via PAM.
> Does the getpwent code have flexibility?  I.e. can something be put in
> resolv.conf to allow for alternate resolution for passwords?  Did I miss a
> document somewhere?
What you propose (somehow putting a crypt-compatible password in a
getent return isn't possible.  
> Sorry for the rambling email, but I'm not sure where to start at the
moment.
BTW, does winbind support HP-UX yet?

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Hi Andrew,
The latest 2.2.3 CVS has all the changes necessary to build winbindd on
HP-UX, if you are using the HPUX ANSI C compiler.  It's very new, but have
been able to use it to get telnet and ftp access to hpux by logging in as
DOMAIN/NTUSERNAME  and being authenticated via pam_winbind to the NT Domain
that samba joined...  Still needs a LOT of testing, but anyone with HP-UX
that wants to play around with this functionality should check out the
latest 2.2 CVS tree...
Hope this helps,
Don


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@pcug.org.au]
Sent: Thursday, January 17, 2002 7:17 AM
To: Ladner, Eric (Eric.Ladner)
Cc: 'samba@lists.samba.org'
Subject: Re: Samba/HP-UX question.


"Ladner, Eric (Eric.Ladner)" wrote:
> 
> Couple of questinos.. I've poked around the web a bit and the Samba
> documentation and haven't really found a good answer.
> 
> Given an HP-UX 11.0 system and the latest 2.X Samba distro, here's what
I'm
> trying to do:
> 
> Use Samba (possibly with winbind?) functionality to allow authentication
via
> a NT PDC.
> 
> The problem I'm having visualizing is how that authentication happens. 
At
> the system level, all of these things go through getpwent (or the
> secure/shadow version of that call).  How exaclty can that call be
hijacked
> by Samba and redirected to an NT domain for authentication?
Winbind simply disables all passwords in this case.  
> The basic problem is that we have an application (call it X) that requires
a
> LOT of users and concequently a LOT of password changes, corporate IT
> password standards that the application dosn't support, etc.. It's
messy.
> 
> What we'd like to see is that the username/password that the user types
in
> to the application interface is authenticated via a PDC rather than the
> /etc/passwd file.
> 
> This application does NOT use PAM.  This I think has been my roadblock up
to
> now.
And so it shal remain.  If you have the sources for the app you could
use the winbind interface directly, without going via PAM.
> Does the getpwent code have flexibility?  I.e. can something be put in
> resolv.conf to allow for alternate resolution for passwords?  Did I miss a
> document somewhere?
What you propose (somehow putting a crypt-compatible password in a
getent return isn't possible.  
> Sorry for the rambling email, but I'm not sure where to start at the
moment.

BTW, does winbind support HP-UX yet?

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Hi Eric,
Some thoughts below,
hope it helps,
Don

-----Original Message-----
From: Ladner, Eric (Eric.Ladner) [mailto:Eric.Ladner@chevrontexaco.com]
Sent: Wednesday, January 16, 2002 4:43 PM
To: 'samba@lists.samba.org'
Subject: Samba/HP-UX question.



Couple of questinos.. I've poked around the web a bit and the Samba
documentation and haven't really found a good answer.

Given an HP-UX 11.0 system and the latest 2.X Samba distro, here's what
I'm
trying to do:

Use Samba (possibly with winbind?) functionality to allow authentication via
a NT PDC.
^^^^^^The latest 2.2 CVS has support for building samba --with-pam and
--with-winbind on HP-UX 11.0.

The problem I'm having visualizing is how that authentication happens.  At
the system level, all of these things go through getpwent (or the
secure/shadow version of that call).  How exaclty can that call be hijacked
by Samba and redirected to an NT domain for authentication?  

^^^^^^getpwent does not actually do any AUTHENTICATION.  all it does
is search the various databases it is directed to via /etc/nsswitch.conf for
entrys and the program then compares its username until it finds an entry
that matches.
Part of the entry that matches (depending on whether you are on a
'secure'
system with shadow password or not) will be the oneway encrypted password
for that entry, and it would be up to the program to take the cleartext
password for that user that was passed into the program and use the same
1-way encryption algorythm (generally crypt() or bigcrypt()) to encrypt it
and compare the two.  This is assuming NOT using PAM.

The basic problem is that we have an application (call it X) that requires a
LOT of users and concequently a LOT of password changes, corporate IT
password standards that the application dosn't support, etc.. It's
messy.

What we'd like to see is that the username/password that the user types in
to the application interface is authenticated via a PDC rather than the
/etc/passwd file.  

This application does NOT use PAM.  This I think has been my roadblock up to
now.  

Does the getpwent code have flexibility?  I.e. can something be put in
resolv.conf to allow for alternate resolution for passwords?  Did I miss a
document somewhere?
^^^^if you use winbind, and set up /etc/nsswitch.conf so that it uses 
files (ie /etc/passwd) AND winbind, then a getpwent request would be able to
return a domain/username entry from your NT domain controller, but since NT
does not send passwords accross the wire (not even encrypted passwords), but
instead uses a challenge/response method to validate users/passwords, there
will be no 'password' field returned for you to check.  So your program
would HAVE to be modified to use pam_authenticate() to actually do the
validation, or if you didn't want to do that, you could, as andrew
suggested, hack around and try to interface directly to the winbindd daemon
itself to get the authentication done...


Sorry for the rambling email, but I'm not sure where to start at the moment.

Thanks,

Eric Ladner
ChevronTexaco


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba