Re: Fwd: Re: [squid-users] winbind authentication, mystical ?

Jerry Murdock wrote:
>
> ----- Original Message -----
> From: "Andrew Bartlett" <abartlet@samba.org>
> To: "Jerry Murdock" <jmurdock@itraktech.com>
> Cc: "Andrew Bartlett" <abartlet@samba.org>; "Squid-Dev (E-mail)"
> <squid-dev@squid-cache.org>; "Henrik Nordstrom" <hno@squid-cache.org>
> Sent: Saturday, July 06, 2002 9:29 PM
> Subject: Re: Fwd: Re: [squid-users] winbind authentication, mystical ?
>
> > Jerry Murdock wrote:
> > >
> > > ----- Original Message -----
> > > From: "Andrew Bartlett" <abartlet@samba.org>
> > You got away with specifying the netbios name of the pdc as 'password
> > server'.
> >
> > > > Running smbd will allow the domain trust password to be changed, but
> > > > provides no other benifit. (In fact, it might not even do that, if no
> > > > users contact it...)
> > >
> > > So there is no way to change the trust pw with 2.2.x if the machine is
> > > not serving smb clients?
> >
> > correct.
> >
> > > What happens on 2.2.x install if nothing ever triggers a change?
> >
> > Some PDC configurations might impose a 'maximum password age' on their
> > users. I think this applies to machines as well.
> >
> OK, it's all falling into place as to why I haven't seen problems yet.
>
> The next question would have to be what can be done to trigger a trust pw
> change in smbd?
>
> Would a script running on the squid box that used smbclient to log into a
> local share be enough?

Should be - as long as the timeout procesing is triggered. Yes, this is
dodgy as all hell... I wrote the update for 'net' with good reason...

> If so, and the user didn't want to run smbd, would you foresee any problems
> with a cron script to load smbd, login, logout, kill smbd?

Only that you would have to trigger the timeout processing... Yes this
is silly.

> I can list out conditions and disclaimers in the how-to, but I'd much prefer
> to go ahead and provide a workable(if not perfect) solution. The last thing
> we need is for the winbind stuff to get a black eye because it stops working
> "mysteriously" 30 days after install.

Indeed.

Probably the best advise it to prepare a patch that simply does what the
'net rpc changetrustpw' does in HEAD. Should be a trivial 'main' that
just makes the same calls as in process.c (and links in practicly
*.o...).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net