From: n...@camcon.co.uk (Nick Marley) Subject: Re: THERE ISN'T ANY NT... WinNT and NIS???? Date: 1996/03/06 Message-ID: <Dnuntr.17t@camcon.co.uk>#1/1 X-Deja-AN: 142050564 references: <4heh0t$b7t@erika.cica.es> organization: Cambridge Consultants Ltd newsgroups: comp.os.ms-windows.nt.admin.misc to...@sun630.uco.es (Juan Antonio Marin Beltran) writes: >For about 4 months I and many other users posted articles about to share the >same username/password pairs between nt & unix, with NIS on NT or other ways, >but it may be that *NOTHING* have a good answer. There is no way to make it? Hmmmm. I don't know of any product that does this (I could be ignorant tho!) If basically what you want is file & print sharing, Samba will provide that nicely - quite transparently if your Unix & NT passwords and userids are the same. I wouldn't claim to be an NT guru :-) but some thoughts anyway; I'd be interested in any observations from anyone more informed; maybe in a .programmer. group... I've been thinking for a while about trying to write a GINA (graphical Identification and Authentication DLL) that could talk to a server process on our Sun network to validate userid & password information and then (if necessary) create an account on the NT machine before calling LsaLogonUser() to get the security token. I suspect the preferred way of communicating with the Unix authentication process is via RPCs, and Sun RPCs are not compatible with NT RPCs, so direct communication with the NIS may be difficult. It's a trivial exercise given a non encrypted username and password to validate it on (say) a Sun host using /etc/passwd & crypt(3) so if passing clear text passwords across the net is OK (I'm not saying it is!) you could wrap up such a piece of code as a sockets based daemon and talk to that from the GINA; sort of home-brew RPC. Given a version of crypt() for Win32 passing the password un-encrypted could be avoided, although you'd still need the two character key from /etc/passwd to perform the encryption. The interesting bit would be trying to create a user from within a GINA, (I haven't found anything that says I can't - yet!) and in deciding how to perform some sensible mapping between Unix & NT group information (may be a red herring). Obviously this only copes with console login on the NT machine; it wouldn't be applicable to WfWG or Grim95. Keeping passwords synchronised is another issue - some kind of ypbind()? The docs for the GINA stuff are on the MSDN CDROMS - see "Replacable Winlogon User Interface" Feel free to pick holes! Nick
From: jer...@netcom.com (Jeremy Allison) Subject: Re: THERE ISN'T ANY NT... WinNT and NIS???? Date: 1996/03/06 Message-ID: <jeremyDnvC37.92B@netcom.com>#1/1 X-Deja-AN: 142092783 sender: jer...@netcom13.netcom.com references: <4heh0t$b7t@erika.cica.es> <Dnuntr.17t@camcon.co.uk> organization: NETCOM On-line Communication Services (408 261-4700 guest) newsgroups: comp.os.ms-windows.nt.admin.misc n...@camcon.co.uk (Nick Marley) writes: >to...@sun630.uco.es (Juan Antonio Marin Beltran) writes: >I've been thinking for a while about trying to write a GINA (graphical >Identification and Authentication DLL) that could talk to a server >process on our Sun network to validate userid & password information >and then (if necessary) create an account on the NT machine before calling >LsaLogonUser() to get the security token. >I suspect the preferred way of communicating with the Unix authentication >process is via RPCs, and Sun RPCs are not compatible with NT RPCs, so >direct communication with the NIS may be difficult. I have also been thinking along those lines. As the author of the Windows NT password encryption code in Samba, it has always annoyed me that I can't get at the password change hook in Windows NT, if I could then I could use it to keep the passwords in Samba's smbpasswd file up to date. The problem with the GINA dll is that password change requests can still come in over the network, and you don't know about it. The *is* a password change hook at the lowest level in Windows NT. I was at a security class at Microsoft when I got this information from one of the NT product support engineers. It is a Dll that is called to make network redirector providers aware the the NT password has changed for a user. The problem is that Microsoft won't release the details without a non-disclosure agreement, and as Samba is under the GPL (source code must be available) I wasn't able to provide that. If anyone has information on the exports that must be made from this DLL (there are only around 7, I know because I saw sample code that implemented them) then a DLL could be written that would sync NT and UNIX password user databases. This is something that would be *extremely* useful, and is wanted by many sites. Doing the ONC-RPC isn't too hard on NT, I already ported that to NT from the Sun publicly available sources, it's the API information that is the hard part (why is my job 10% coding and 90% begging Microsoft to make available the API's they use in their own products :-(. ). Jeremy Allison.