On Fri, 18 Jan 2002, Alan Davies wrote:
If my understanding is correct (and it often isnt) winbind is part of - or an addition to samba
Yes.
it allows linux to 'see' the NT usernames
Yes.
it allows the NT domain to authenticate (presumably by relaying the request) rather than the linux box.
Well, sort of. Linux' authentication is modular; winbind provides a module that uses an NT domain to verify the username and password in the same way that there are modules that use /etc/passwd to verify the username and password.
Now the questions. With Winbind.. If a user exists on the Domain (but not in linux) they can logon and run a shell or kde session?
Yes.
Can you have additional users in the linux password file too? (I assume yes - and I assume it tries these first and duplicated names would default to linux box password not the domain one.
Yes. You will want to look at the files in /etc/pam.d and read the PAM manual. Basically, you can plug together your authentication in any way you feel like. For example, you could say "try authenticating against NT first, if that fails then use /etc/passwd, if that succeeds then log a warning (as only admins should have local accounts) otherwise fail".
I could run a mail server on the linux box and my NT users would be able to access it via POP or IMAP without a separate or different username and password? Would I need to make any changes to the mailserver for it to realise that authentication was to come from the domain?
The PAM configuration file for the mail server program would have to be set to use winbind. (Note: In some distributions you will find a "system-auth" PAM file which contains the default authentication procedures and most other PAM files simply delegate to this one via "pam_stack.so").
If an NT user has a home direcotry on an NT machine where would the home directory for a user logging into a kde session be? Would this be the domain one (a samba share) if no details existed in linux box?
Aha, this is where it starts to get rather tricky. Your easiest option is to add pam_mkhomedir to the PAM stack; this will create a home directory at the first logon. Assuming you have Samba set up to share home folders then this immediately means that Windows users will be able to browse to their Linux home folders. However, going the other way is less smooth since there is not yet an easy and secure way that doesn't involve the user having to enter their password twice... Michael