From owner-freebsd-hackers  Thu Jan  2 13:47:55 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9453D37B401
	for <hackers@FreeBSD.ORG>; Thu,  2 Jan 2003 13:47:53 -0800 (PST)
Received: from ns.aus.com (adsl-66-127-241-216.dsl.sntc01.pacbell.net [66.127.241.216])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C6EB43EC5
	for <hackers@FreeBSD.ORG>; Thu,  2 Jan 2003 13:47:40 -0800 (PST)
	(envelope-from rsharpe@richardsharpe.com)
Received: from localhost (rsharpe@localhost)
	by ns.aus.com (8.11.6/8.11.6) with ESMTP id h02MHEn07984;
	Thu, 2 Jan 2003 14:17:14 -0800
X-Authentication-Warning: ns.aus.com: rsharpe owned process doing -bs
Date: Thu, 2 Jan 2003 14:17:14 -0800 (PST)
From: Richard Sharpe <rsharpe@richardsharpe.com>
X-X-Sender:  <rsharpe@ns.aus.com>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: Mahlon <mahlon-dated-1041966902.d3c7ee@martini.nu>,
	<hackers@FreeBSD.ORG>
Subject: Re: pw(8): $ (dollar sign) in username
In-Reply-To: <3E14AE17.EC42A534@mindspring.com>
Message-ID: <Pine.LNX.4.33.0301021404320.7105-100000@ns.aus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Thu, 2 Jan 2003, Terry Lambert wrote:

> Mahlon wrote:
> > This has come up more than a few times in the past.  vipw does allow
> > the $ character, and works great in a 'couple of machines' network.
> > It's not a viable solution for using samba's machine trust accounts
> > in an *automated* environment.  Having to manually add your domain
> > trust accounts is unneeded when samba can do it for you - after a
> > 1 character change in pw.
> 
> Probably the correct approach is to use the PAM module that
> allows the UNIX machine to perform authentication against the
> domain controller, instead of its local password database.

The Samba server does not actually authenticate against the local 
passwd database. This requirement for a local account is a hold-over from 
the Samba 2.x.x code which used the smbpasswd command to set up the trust 
relationship and build the information needed to maintain the trust 
relationship, and the shared secret, which is the trust account password 
(hash), which changes from time to time.

While it is possible to configure winbindd to do what you want, it will 
eventually run into problems as more and more people choose to implement 
restrict anonymous, and it is probably better to do what you suggest 
below: remove the need for a local account.

> You talk about the difficulty of adding all these account to
> a UNIX machine, and then having to modify them with "vipw",
> but you don't complain about the difficulty *still* involved
> in adding them, if the "vipw" step is removed.  Better to
> eliminate the need to create the accounts at all.


Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message