Date: Thu, 2 Jan 2003 14:17:14 -0800 (PST) From: Richard Sharpe <rsharpe@richardsharpe.com> To: Terry Lambert <tlambert2@mindspring.com> Cc: Mahlon <mahlon-dated-1041966902.d3c7ee@martini.nu>, <hackers@FreeBSD.ORG> Subject: Re: pw(8): $ (dollar sign) in username Message-ID: <Pine.LNX.4.33.0301021404320.7105-100000@ns.aus.com> In-Reply-To: <3E14AE17.EC42A534@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Jan 2003, Terry Lambert wrote: > Mahlon wrote: > > This has come up more than a few times in the past. vipw does allow > > the $ character, and works great in a 'couple of machines' network. > > It's not a viable solution for using samba's machine trust accounts > > in an *automated* environment. Having to manually add your domain > > trust accounts is unneeded when samba can do it for you - after a > > 1 character change in pw. > > Probably the correct approach is to use the PAM module that > allows the UNIX machine to perform authentication against the > domain controller, instead of its local password database. The Samba server does not actually authenticate against the local passwd database. This requirement for a local account is a hold-over from the Samba 2.x.x code which used the smbpasswd command to set up the trust relationship and build the information needed to maintain the trust relationship, and the shared secret, which is the trust account password (hash), which changes from time to time. While it is possible to configure winbindd to do what you want, it will eventually run into problems as more and more people choose to implement restrict anonymous, and it is probably better to do what you suggest below: remove the need for a local account. > You talk about the difficulty of adding all these account to > a UNIX machine, and then having to modify them with "vipw", > but you don't complain about the difficulty *still* involved > in adding them, if the "vipw" step is removed. Better to > eliminate the need to create the accounts at all. Regards ----- Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0301021404320.7105-100000>