samba - Jan 2005 - Differences between Samba-related PAM modules

Several different PAM modules relating to Samba exist.  The ones I could
find were as follows:

pam_smb
http://www.csn.ul.ie/~airlied/pam_smb/
Authenticates against an NT domain controller, without joining the domain.
(Doesn't work with Active Directory.)

pam_ntdom
http://www.cb1.com/~lkcl/pam-ntdom/
Based on the above, authenticates against an NT domain.  Requires the client
to be added to the domain using Server Manager.  No longer maintained,
superseded by winbind.

pam_smbpass
part of the official Samba distribution
Authenticates against the local smbpasswd database (and not a domain at all).

winbind
part of the official Samba distribution
Authenticates against an NT or Active Directory domain.  The client must
join the domain using the Samba "net join" command (or by adding them
using
Server Manager).  Also includes an NSS library to provide account
information.

Is the above a reasonable description of the different modules?

I have a set of Linux workstations I would like to authenticate against an
NT4 domain to which I do not have admin access, so so far as I can see
pam_smb is the only option.  Alternatively, does anyone know if it is
possible to create an NT account whose only ability is to create machine
accounts, which I could probably convince the NT domain admin to do for me?

-- 
Martin Orr
Linux Administrator,
Methodist College Belfast

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Orr wrote:
| Several different PAM modules relating to Samba exist.
| The ones I could find were as follows:
....

| Is the above a reasonable description of the different modules?

Looks like a good summary to me.  You can also use
pam_ldap and pam_krb5 with AD.

| Alternatively, does anyone know if it is possible to
| create an NT account whose only ability is to create machine
| accounts, which I could probably convince the NT
| domain admin to do for me?

Yes.  This is possible.  The NT admin will know how.





cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3p/oIR7qMdg1EfYRAvSdAJ9oLhugPlvwpa/TdYYuWbX/Jh3DkACguku0
R5Cl+iAIV6Eq8ryCkGtGy7I=JGS+
-----END PGP SIGNATURE-----

On Fri, Jan 07, 2005 at 08:42:48AM -0600, Gerald (Jerry) Carter
wrote:
> | Alternatively, does anyone know if it is possible to
> | create an NT account whose only ability is to create machine
> | accounts, which I could probably convince the NT
> | domain admin to do for me?
> 
> Yes.  This is possible.  The NT admin will know how.
So, we created an account called LinuxAdmin on the NT PDC (NT 4.0) and gave
it the "Add workstations to domain" user right.  However, on a Linux
box if
I do "net rpc join -U LinuxAdmin" (having set workgroup = RMNETNT in
smb.conf) and enter the correct password, I still get
"Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain RMNETNT."

-- 
Martin Orr
Linux Administrator,
Methodist College Belfast