-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can tell you that you MUST use encrypted passwords on a PDC. Any information about this and more is in the docs.
Sam Leathers wrote: > I setup a working PDC, with exception of one major issue: > > These are the two relevant lines: > encrypt passwords = no > obey pam restrictions = yes > > If I set encrypt passwords = yes I can join the domain and login and > everything works perfectly from windows xp sp2. > > However; pam doesn't work with encrypt passwords, so I can't use encrypt > passwords in authenticating users. > > The end goal is to authenticate windows machines to the same auth > servers we have in the linux/mac/solaris realm, which is an ldap server > (or NIS for solaris), that uses kerberos for password authentication. > I've heard it's possible to get windows to authenticate to the kerberos > server through samba, but windows expects the kerberos server to have an > NT hash to authenticate to, which would break the rest of the network, > so I went down the pam path, and got that working fine in pam for > accessing shares, but kept getting a "this user is unauthorized to login > to this machine" error when I tried to join the domain as root (which > will authenticate through pam files just fine for accessing shares). I > also have root with the same password encrypted, via smbpasswd, and when > I set encypt passwords = yes, the domain works like a charm, for root > and my other user I manually created accounts for. > > Has anyone attempted to do something like this? I know it's kinda > stretching the limits of samba (or more likely the flexibility of > windows), but if I could make this work, everyone in the department > would only have one password to worry about, and to allow someone to > login to windows machines, all I'd have to do is add them to the > winusers group. > > Our current setup is a windows 2000 server that is completely > disconnected from the rest of the network that I'm trying to retire. If > it comes down to it, I could keep this new server as a separate entity > on the network as well, but I'd much rather get this to work. > > Sam > - -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHIOQTmb+gadEcsb4RAhHCAKDcR2qSIrUei38dAssn38lLSUgMzACgzw/a nZUtTngLQ7eeALSUJ0TcOnI= =Bx3N -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba