On Tue, 2003-06-17 at 09:45, Nick Stephens wrote:> Greetings! > > I have grabbed the latest samba3 cvs source, and successfully compiled it, > got it talking to my NT server, joined the domain, etc.. life is good. > But, now I have a question kinda related to functionality, i believe... > > A quick synopsis of my goal is as follows: > > i currently have a sendmail linux box that also does my pop3 for users.. > given that they only use pop, mail passwords arent changed as religiously > as the NT domain passwords.. my goal was to synch the unix and nt > passwords, thus eliminating the need to change them via the cmd line, and > keeping it all ctrl-alt-del easy for them. > > I seem to have pop working ok with a freshly written PAM module, my logs > all seem to be saying that everything is fine, but heres my question.. > > For me to get the email for user 'domainname+user', the > /var/spool/mail/user file has to have the same UID/GID/SID on NT and > unix.. is there a quick way to convert this? I'm assuming that I will > have to let the NT PDC be the master as far as what the UID/SID > transformation is.. but the only tool i have seen so far to convert it > requires me to do the following: > > wbinfo -n user |xargs wbinfo -S > > while this isn't TOO terribly tedious on my small network, I have a > feeling that larger companies will have a problem with that, and that > perhaps I am missing some tool that would be great convenience to me.. > > am i offbase here, or do i just need to do that wbinfo on each user, and > hand edit my /etc/passwd to change the uid/gid's, and then re-chown > everyones homedir and mailspool? i kinda hope not :)There are a few solutions to your problem - one that many sites will be coming across as they attempt migrations. Firstly, if you just want to deal with the passwords, and don't mind keeping the users database as it was, you just use pam_winbind, but not nss_winbind. If you then set 'winbind use default domain = yes', and the NT usernames are the same as your unix ones, then it should all 'just work'. ie, only the passwords are redirected. If you want to go future, and ditch the unix username database, you can alter the 'idmap' that Samba controls (mapping the NT sids to uids) so that they match the existing unix accounts to the NT accounts. I think 'net idmap' should let you do this, but it's only just in CVS, and I've not played with it. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net samba.org build.samba.org hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : lists.samba.org/archive/samba/attachments/20030617/1f924f4b/attachment.bin
On Tue, 2003-06-17 at 15:59, Nick Stephens wrote:> NS> Andrew Bartlett (abartlet@samba.org) AB wrote on Jun 17, 2003: > > > There are a few solutions to your problem - one that many sites will be > > coming across as they attempt migrations. > > > > Firstly, if you just want to deal with the passwords, and don't mind > > keeping the users database as it was, you just use pam_winbind, but not > > nss_winbind. If you then set 'winbind use default domain = yes', and > > the NT usernames are the same as your unix ones, then it should all > > 'just work'. ie, only the passwords are redirected. > > In this case, do you mean to remove the winbind references from my > nsswitch.conf? Is this the portion of it that deploys the gid/uid/sid > information?Yes. PAM and nsswitch are seperate, and it can be quite handy to seperate them. Note that it doesn't work as well running winbind, not having winbind in nsswtich, but running the Samba file-server.> > If you want to go future, and ditch the unix username database, you can > > alter the 'idmap' that Samba controls (mapping the NT sids to uids) so > > that they match the existing unix accounts to the NT accounts. I think > > 'net idmap' should let you do this, but it's only just in CVS, and I've > > not played with it. > > so in this instance, would you mean removing any /etc/passwd & shadow > entries for the users, and letting it all be done via the smb.conf and > winbindd? That actually sounds like a good idea (it saves me from having > to be redundant with my userbase still), but my concern is this: i am > running samba on my linux mailserver that my users pop3 to.. i wanted to > synch my nt domain/unix passwds, as users will really appreciate the > ability to just have to change the one passwd, etc.. if i remove the > accounts from the passwd/shadow files, would i just have to rely on > properly created aliases to deliver the mail, since i don't think sendmail > will be aware of the nt domain users...If you have the winbind entry in the nsswtich.conf, and you have 'winbind use default domain = yes' and you have the same name on NT as on unix, then sendmail won't know the difference. You will need to set the idmap correctly if you don't want to chown the files.> along those same lines but kind of off 'samba' base (read: feel free to > ignore this if you have no idea what im talkin about :)... I am trying to > configure the pop3 pam.d conf to be able to accept those nt usernames, and > i'm curious if anyone has an example config for this very idea.. if so, > that would definitely save me some headaches im sure, and if not maybe i > can write one up for samba.org when i'm done ;) > > here is my (surely weak) attempt at /etc/pam.d/pop3:Looks good.> auth sufficient /lib/security/pam_winbind.so > auth required /lib/security/pam_pwdb.so use_first_pass shadow > nullok > auth required /lib/security/pam_shells.so > account sufficient /lib/security/pam_winbind.so > account required /lib/security/pam_pwdb.so > session required /lib/security/pam_stack.so service=system-auth > > > -- > Nick Stephens > Systems Administrator > Ceiva Logic, Inc. > > (818) 481-6332 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/listinfo/samba-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net samba.org build.samba.org hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : lists.samba.org/archive/samba/attachments/20030617/b674473f/attachment.bin