samba - Dec 2004 - Winbind running on Samba PDC for shell logins

Hello all-

I setup a Samba 3.0.8 PDC w/ simple tdb backend and it's working great.
The full RPC based printing w/ drivers installed on the samba server
is sweet.

I know down the line I may want the windows users to be able to possibly
authenticate for other services like e-mail (via Pop or a webmail type
service perhaps) or shell logins on the same PDC.  I didn't want to
have unix vs. windows passwords to worry about.

I found several options (unix password sync w/ passwd program, several
pam modules that might work), but I was most intrigued with the idea
of running winbind along with pam_winbind.so configured on the PDC, but
forcing it not to map UIDs or GIDs and simply only provide the authentication
but against itself and not some remote windows or samba PDC.

I scoured (spelling?) the howto, google, etc. and have never found anyone
using winbind w/ security = USER and domain logons = yes, and having
the PDC join it's own domain so winbind could do it's thing.  So I
did some testing.

So I did this:

     winbind enum users = no
     winbind enum groups = no
     winbind use default domain = yes

The use default domain is to guarantee unix users don't have a domain
component in their name and I don't have any trusts or anything. 
Probably didn't need winbind enum [users|groups] because when winbind
starts and there's no id ranges supplied, it keeps itself as only an
auth proxy which is all I want anyway.

Left "files" only in nsswitch.conf (winbind won't map or provide
uid/gid
mappings, enforced even more by not having nsswitch bother w/ winbind).

Joined my PDC box to his own domain w/ net rpc join -U root
(kinda funny seeing a machine account in /etc/passwd for itself)

Setup /etc/pam.d/common-auth, session, acct w/ lines similar to

auth	sufficient	pam_winbind.so
auth	required	pam_unix.so

Fired up winbind and voila, my windows users w/ disabled passwords in
/etc/passwd can login to the PDC via their windows password stored
in the tdb backend.  As they change their password on windows, only
one actual password changes as a result.  Seems nice and clean.

So my question is are there any disadvantages to running this way?
i.e. would I be better off not bothering w/ winbind and instead use
unix password sync ??  Or is there something I haven't thought of that is
better?

I personally like winbind better than anything else I found because it
just seems to make more sense to me to have one password actually
stored since linux auth via winbind works so well.  I've just never
used winbind except as a means to better integrate a linux box w/ a
windows PDC (both active dir (ads) and flat NT domains (rpc)).  Can
any of you that understand samba's internals really well think of
any "gotchas" I could avoid by use something else?  I didn't test
out
unix password sync, but I'm confident it will solve my problem equally
as well.

Thanks for any thoughts,

--
Eric Malkowski

> 
> > Fired up winbind and voila, my windows users w/ disabled passwords in
> > /etc/passwd can login to the PDC via their windows password stored
> > in the tdb backend.  As they change their password on windows, only
> > one actual password changes as a result.  Seems nice and clean.
> >
> > So my question is are there any disadvantages to running this way?
> > i.e. would I be better off not bothering w/ winbind and instead use
> > unix password sync ??  Or is there something I haven't thought of
that is
> > better?
> One thing... if you set list of workstations on wich user can login...
> then pam_winbind can't auth users anymore.
> 
Oh wow... that's interesting and good to know.  Thanks.  So it sounds like
you're talking about the windows based workstation access restrictions that
are all stored in the tdb backend  (access rights, or user rights in
the windows based user manager?  I use usermgr for testing so end user admins
get a GUI for user management on samba PDC ).  
i.e. if I setup a windows user to only be able to login to 2 out of my 10
windows workstations, then pam_winbind can't authenticate ANY users
anymore -- or just that one user or some subset of users?

I doubt we'll be restricting what workstations users can login to, but this 
will save some headaches if we try it and have issues.  Thanks again.

This is one reason to favor unix password sync.

I'm wondering if unix password sync will work -- i.e. a normal samba PDC
setup has the windows password encrypted as LM hashes or whatever.  Does
the PDC every able to recover the plain text of XP/2K passwords so it
can use the passwd command as root to set the unix password?

Hopefully this thread will be useful to others too -- thanks for replying.

-E