I setup a working PDC, with exception of one major issue:
These are the two relevant lines:
encrypt passwords = no
obey pam restrictions = yes
If I set encrypt passwords = yes I can join the domain and login and
everything works perfectly from windows xp sp2.
However; pam doesn't work with encrypt passwords, so I can't use encrypt
passwords in authenticating users.
The end goal is to authenticate windows machines to the same auth
servers we have in the linux/mac/solaris realm, which is an ldap server
(or NIS for solaris), that uses kerberos for password authentication.
I've heard it's possible to get windows to authenticate to the kerberos
server through samba, but windows expects the kerberos server to have an
NT hash to authenticate to, which would break the rest of the network,
so I went down the pam path, and got that working fine in pam for
accessing shares, but kept getting a "this user is unauthorized to login
to this machine" error when I tried to join the domain as root (which
will authenticate through pam files just fine for accessing shares). I
also have root with the same password encrypted, via smbpasswd, and when
I set encypt passwords = yes, the domain works like a charm, for root
and my other user I manually created accounts for.
Has anyone attempted to do something like this? I know it's kinda
stretching the limits of samba (or more likely the flexibility of
windows), but if I could make this work, everyone in the department
would only have one password to worry about, and to allow someone to
login to windows machines, all I'd have to do is add them to the
winusers group.
Our current setup is a windows 2000 server that is completely
disconnected from the rest of the network that I'm trying to retire. If
it comes down to it, I could keep this new server as a separate entity
on the network as well, but I'd much rather get this to work.
Sam
--
Sam Leathers
Penn State University
Astronomy & Astrophysics Department
520 Davey Lab
(814)863-9347
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
