Sshd and domain authentication

Scott Burch scott.burch at camberwind.com
Wed May 21 04:19:37 EST 2003


Mike,

This can be done using either pam_smb or the pam modules included with
the winbind component of samba. The latter maps Windows rids and gids to
UNIX uids and gids, so essentially you can give Windows users access to
UNIX resources without creating duplicate UNIX accounts for those users.
I've used both pieces of software to do various things and tested the
winbind pieces of samba to see if it would work with ssh (for fun)..it
did. For ssh you still have to create home directories (for .ssh, etc.).
There is a pam module for Linux that will even create home directories
on the fly (dangerous in my opinion), but might be useful to some people
(this piece does not work on Solaris). I am not using winbind, because
there wasn't yet centralized management of the mapping of rids/gids to
uids/gids..it was on a server by server basis. I tend to use pam_smb in
instances where some UNIX application needs only to get
authentication...most of our users have accounts in the Active
Directory, but not in UNIX (and creating a shell account just to
authenticate is overkill). Ultimately all authentication will go through
LDAP, but that whole system is not in place yet. If you want more
details on any of this I can provide them offline.

-Scott

On Tue, 2003-05-20 at 11:18, Lee-Lun, Michael [IT] wrote:
> Is there a way to run sshd on a windows 2000 server and have ssh clients
> authenticate to it using domain level authentication?  
> 
> Mike
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Scott Burch <scott.burch at camberwind.com>




More information about the openssh-unix-dev mailing list