I setup a working PDC, with exception of one major issue: These are the two relevant lines: encrypt passwords = no obey pam restrictions = yes If I set encrypt passwords = yes I can join the domain and login and everything works perfectly from windows xp sp2. However; pam doesn't work with encrypt passwords, so I can't use encrypt passwords in authenticating users. The end goal is to authenticate windows machines to the same auth servers we have in the linux/mac/solaris realm, which is an ldap server (or NIS for solaris), that uses kerberos for password authentication. I've heard it's possible to get windows to authenticate to the kerberos server through samba, but windows expects the kerberos server to have an NT hash to authenticate to, which would break the rest of the network, so I went down the pam path, and got that working fine in pam for accessing shares, but kept getting a "this user is unauthorized to login to this machine" error when I tried to join the domain as root (which will authenticate through pam files just fine for accessing shares). I also have root with the same password encrypted, via smbpasswd, and when I set encypt passwords = yes, the domain works like a charm, for root and my other user I manually created accounts for. Has anyone attempted to do something like this? I know it's kinda stretching the limits of samba (or more likely the flexibility of windows), but if I could make this work, everyone in the department would only have one password to worry about, and to allow someone to login to windows machines, all I'd have to do is add them to the winusers group. Our current setup is a windows 2000 server that is completely disconnected from the rest of the network that I'm trying to retire. If it comes down to it, I could keep this new server as a separate entity on the network as well, but I'd much rather get this to work. Sam -- Sam Leathers Penn State University Astronomy & Astrophysics Department 520 Davey Lab (814)863-9347
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can tell you that you MUST use encrypted passwords on a PDC. Any information about this and more is in the docs. Sam Leathers wrote:> I setup a working PDC, with exception of one major issue: > > These are the two relevant lines: > encrypt passwords = no > obey pam restrictions = yes > > If I set encrypt passwords = yes I can join the domain and login and > everything works perfectly from windows xp sp2. > > However; pam doesn't work with encrypt passwords, so I can't use encrypt > passwords in authenticating users. > > The end goal is to authenticate windows machines to the same auth > servers we have in the linux/mac/solaris realm, which is an ldap server > (or NIS for solaris), that uses kerberos for password authentication. > I've heard it's possible to get windows to authenticate to the kerberos > server through samba, but windows expects the kerberos server to have an > NT hash to authenticate to, which would break the rest of the network, > so I went down the pam path, and got that working fine in pam for > accessing shares, but kept getting a "this user is unauthorized to login > to this machine" error when I tried to join the domain as root (which > will authenticate through pam files just fine for accessing shares). I > also have root with the same password encrypted, via smbpasswd, and when > I set encypt passwords = yes, the domain works like a charm, for root > and my other user I manually created accounts for. > > Has anyone attempted to do something like this? I know it's kinda > stretching the limits of samba (or more likely the flexibility of > windows), but if I could make this work, everyone in the department > would only have one password to worry about, and to allow someone to > login to windows machines, all I'd have to do is add them to the > winusers group. > > Our current setup is a windows 2000 server that is completely > disconnected from the rest of the network that I'm trying to retire. If > it comes down to it, I could keep this new server as a separate entity > on the network as well, but I'd much rather get this to work. > > Sam >- -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHIOQTmb+gadEcsb4RAhHCAKDcR2qSIrUei38dAssn38lLSUgMzACgzw/a nZUtTngLQ7eeALSUJ0TcOnI=Bx3N -----END PGP SIGNATURE-----