On Wed, Nov 27, 2002 at 08:51:44AM -0600, Jim Morris wrote: > >It would also prevent domain logons, and exposes bugs in other parts of > >Microsoft's client.
> The domain in this case is controlled by Samba. Most of the clients are > Windows 95/98 clients, and testing with Windows 98 seems to show that > it can do a 'domain logon'. For the record, I know that this is not > quite the same as the domain logon that Windows 2000 or NT clients will > do, and I have yet to test one of those clients. (I spent a LOT of > time working through the domain logon stuff a couple of years ago when > working on those chapters of 'Special Edition, Using Samba' with > Richard Sharpe). Anyway, I would only consider this switch to > plaintext passwords a temporary measure while I come up with something > better. With Win95/98 it might not be such an issue. If you have any member servers in your domain, it IS an issue, because the only way to get recent versions of Windows to negotiate plaintext auth is for the server to say it does NOT support encrypted passwords, and a server that doesn't support encrypted passwords cannot be a DC. There really is no way to do this with PAM that will work for most people. You'd need some other sort of hook into the Samba authentication system to achieve the effect. PAM is not suitable, because the authentication can't be handed off to PAM, and nothing in PAM will know the result of this authentication unless PAM *performed* the authentication. -- Steve Langasek postmodern programmer
msg04651/pgp00000.pgp
Description: PGP signature