[pptp-server] poptop and NT domain controller authentication
Cowles, Steve
Steve at SteveCowles.com
Tue Feb 6 10:34:13 CST 2001
> -----Original Message-----
> From: Andrew W. Davis [mailto:awdavis at waretec.com]
> Sent: Tuesday, February 06, 2001 2:26 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] poptop and NT domain controller authentication
>
>
> so maybe I'm missing something here, but it's late and my
> eyes can't take any more archive reading...
>
> I've set up my poptop server and it finally will authenticate
> MPPE and the such. I've figured out how to get it to correctly
> authenticate with the smbpassword file. I've got some routing
> issues I need to straighten out between the 2 NIC's in my Linux
> box, but I guess here's my real question:
>
> Do I have to set up domain logins to Samba on my Linux box?
> Is there no way that they can be sent to my NT Domain controller?
> From all that I'm reading, I have to set up my Linux box in a
> different domain all together. This introduces an entirely new
> set of issues...
Personally, I have always configured my samba servers to be "member servers"
to an existing MS domain. i.e. security = domain in smb.conf. In fact, I
agree with you, by placing a samba server in a different MS domain/workgroup
would introduce an entirely new set of issues. Unfortunately, making your
samba server a member server really only creates a workstation/server entry
in Domain Manager. It does not enable samba to authenticate to a PDC for
login requests. i.e. a single username/password on NT.
FYI: There is a lot of work being done in this area. i.e. winbind. Checkout
the following white paper:
http://us4.samba.org/samba/ftp/appliance/winbind.pdf
I especially like the first paragraph of this paper... (holy grail)
Integration of UNIX and Microsoft Windows NT through a unified logon has
been considered a "holy grail" in heterogeneous computing environments for a
long time. We present winbind, a component of the Samba suite of programs as
a solution to the unified logon problem. Winbind uses UNIX implementation of
Microsoft RPC calls, Pluggable Authentication Modules, and the Name Service
Switch to allow Windows NT domain users to appear and operate as UNIX users
on a UNIX machine. This paper describes the winbind system, explaining the
functionality it provides, how it
is configured and how it works internally.
Hopefully, after reading the above white paper, you will understand why you
must maintain to separate login accounts. One on your PopTop server and one
on NT PDC.
If I get the time, I am going to try and implement "winbind". I have been
following its development for a long time. Looks like they have made some
progress, but with limitations. I have never liked maintaining two separate
login accounts. This has always been a royal pain in the ass from an
administration point of view.
Steve Cowles
More information about the pptp-server
mailing list