I posted this to comp.protocols.smb, but I'll give it a shot here too...
Background :
We have an existing Win2k domain, 2 Win2k domain controllers, all
working just fine. I've been using Samba 2.2.x for quite a while to
provide access to specific folders on *nix machines using Domain
security...So I'm reasonably familiar with how file/print sharing works.
But what I'm interested in now is providing shell access to *nix
machines, without having to manually create accounts on each box.
Therefore, windbind....
1st, if using windbind, and all I want to do is not have to manually
create users on the *nix box, do I need to configure ldap in "client"
mode on the *nix box ? Or does windbind take care of looking up the
user/password info without needing ldap info ?
I guess what I mean is, do I need to worry about ldap ( or kerberos for
that matter ) ? We're not currently using it for any of our *nix
machines...
2nd, is it possible to have *only* users in a specified AD group be
granted shell access, and therefore be authenticated ? IE, I don't want
*all* valid users in our domain to be granted access, I want to be able
to say that only users in AD group X can loin via the shell on the
specific *nix box...
If this is possible, does this require ldap configuration on the *nix side ?
Finally, does using windbind require that the application/daemon
support, or be compiled to support PAM ? Some of our machines are AIX,
and PAM support isn't standard until 5.2, and has only recently been
back-ported to 5.1...We have 5.1, but also 4.3.3.
Or is there a good source of information on AIX's LAM and how it may
work ( if at all ) with Samba/windbind ?
I've read, and re-read all the information I've been able to find on
windbind, and am still a bit unclear on these things.
Thanks for any info or pointers...
--
- Matt -
