Hi list, Could anyone explain why Samba+LDAP PDC needs to have PAM and NSS configured with ldap to authenticate ? I thought that SAMBA authenticates directly against LDAP rather asking PAM/NSS to do this, but this doesn't seem to be true. I configured a Samba+LDAP PDC with the help of idealx.org SAMBA PDC howto. I succeeded with 3.0.2a. Just for experimenting, I used authconfig to disable ldap in nssswitch.conf and system-auth, the PDC stop working. Is it true that SAMBA need to authenticate twice, one with SambaSamAccount, and another with PosixAccount? thanks for any ideas on this matter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Loc Nguyen ?rta: | Hi list, | | Could anyone explain why Samba+LDAP PDC needs to have PAM and | NSS configured with ldap to authenticate ? | | I thought that SAMBA | authenticates directly against LDAP rather asking PAM/NSS to do this, | but this doesn't seem to be true. | | I configured a Samba+LDAP PDC with | the help of idealx.org SAMBA PDC howto. I succeeded with 3.0.2a. Just | for experimenting, I used authconfig to disable ldap in nssswitch.conf | and system-auth, the PDC stop working. Is it true that SAMBA need to | authenticate twice, one with SambaSamAccount, and another with | PosixAccount? | | | thanks for any ideas on this matter Yes and no, you don't need to authenticate twice, e.g. you can disable the coresponding UNIX account, and stil able to log in via samba, but you need a UNIX (Posix) account. The rationelle is quite simple: As long as Samba runs as a Unix process, in order to get the rights of the user as you are connecting it is runing with that users userid. Without a valid userid, aka Posix account it would not be possible. Cheers, Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFAM9pv/PxuIn+i1pIRAlL5AJiurPb5Xix6XqGaXPpd7mMQ7VHmAJ415mPe i2CNXBr0DM/FslXhMKbADA==/DhM -----END PGP SIGNATURE-----
On Wed, 18 Feb 2004, Loc Nguyen wrote:> Hi list, > > Could anyone explain why Samba+LDAP PDC needs to have PAM and > NSS configured with ldap to authenticate ? > > I thought that SAMBA > authenticates directly against LDAP rather asking PAM/NSS to do this, > but this doesn't seem to be true. > > I configured a Samba+LDAP PDC with > the help of idealx.org SAMBA PDC howto. I succeeded with 3.0.2a. Just > for experimenting, I used authconfig to disable ldap in nssswitch.conf > and system-auth, the PDC stop working. Is it true that SAMBA need to > authenticate twice, one with SambaSamAccount, and another with > PosixAccount?Samba relies on the OS it sits on top of to do identify resolution. NSS (/etc/nsswitch.conf) does only Identity resolution. On a PDC+LDAP you must have Posix accounts in LDAP and must be able to resolve UID/GIDs via NSS (nss_ldap) for propoer operation. By default, 3.x does not use PAM authentication for smbd operation. - John T.> > > thanks for any ideas on this matter >-- John H Terpstra Email: jht@samba.org