Ray Holtz wrote:
>Jos? Ildefonso Camargo Tolosa worte:
>
>
>
>>Yes, you can. It will use samba for session, not for auth
>>
>>
>(obey pam
>
>
>>restrictions = Yes).
>>
>>I'm using it, on a samba PDC. Not sure If it will work with
>>security=ads (I don't use w2k3, I use a samba PDC (I have even
>>
>>
>customers
>
>
>>who are changing their w2k3 servers to samba, because of the
>>
>>
>CAL)).
>
>I appreciate the help, but that won't work for me. In the
>smb.conf(5) man file under 'obey pam restricitons (G)'...
>
>
It says:
"When Samba 3.0 is configured to enable PAM support (i.e. --with-pam),
this parameter will control whether or not Samba should obey PAM's
account and session management directives. (....) Note that Samba always
ignores PAM for authentication in the case of encrypt passwords = yes."
(only ignores authentication).
It doesn't say anything about ADS, and I use it with encrypt
passwords=yes. I'm not sure, maybe I'm wrong, I would like you to do
the test, it works for me.
Anyway, you have nothing to lose, put in the /etc/pam.d/samba:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
in my case it is in: /etc/pam.d/common-session , because I'm using Debian.
Now my question: Why do you need Windows 2003 server? I have found that
almost everything can be done with linux-based servers (just ask me
anything). The only thing you would lose is the "kerberos" auth for
the
windows workstations (but it seem to be scheduled for samba-4 (I hope))
(and other things are only harder to get). I have found that
ldap+pam+nfs may be an excelent option to use for unix workstations, I
have even though about doing a script to be run from a pam module that
rsync the user dir with the central server (in order to have "roaming"
home dirs, without nfs).
We are having a war at my college (UNET) in Venezuela to avoid using
windows 2k3, and we have found that a point of weight are the CALs: you
need a cal for either: Every user in your AD (Active Directory), Every
workstation that would connect to the AD (this excludes authenticated
web access, for let's say sharepoint portal, in wich case you need extra
CALs for web access), or every *authenticated connection* that will go
to ANY of your servers (yes, that mean you need a CAL even for web
authenticated users, if they use AD to authenticate). That's why I'm
working like mad to put together a "solution" that can do almost
everything AD can offer, and I see that a large part of the work is
already done, it is almost only a matter of "putting things together.
>Note that Samba always ignores PAM for authentication in the
>case of encrypt passwords = yes. The reason is that PAM modules
>cannot support the challenge/response authentication mechanism
>needed in the presence of SMB password encryption.
>
>
Auth, not session, the mkhomedir is a session stage module.
>I need to authenticate windows 95,nt,2000,xp clients against the
>2003AD to use their share, so 'security=ads' needs 'encrypt
>passwords=yes'.
>
>I wish that I could scrap the Windows2003 AD for a SAMBA/LDAP
>domain server. Unfortunatly I have neither the time nor
>knowledge to implement that right now. I am working as an
>intern at this school, and my internship is over in two weeks.
>
>
>Once again, thanks for the help, but that option won't work for
>me.
>
>
Just try it, it is a matter of 10 minutes. Do the changes, create a new
user, and login to a w2k workstation.
>Ray
>
>
>
>