Hey all,
I'm currently running a computer lab with RH7.3, Win2k, and a RH7.3 server running an older version of Samba. Unix authentication is done using ssh and rsync to force the passwd files to the client machines. Unix file sharing is done with NFS, windows authentication and file sharing is done with Samba.

We got some new server and are moving to a separate domain environment (confidentiality agreements and such made us isolate the data) instead of one big domain with groups.

The users now think they have only one login and password, but that's because I painstakingly make sure the passwd files get rsync'd and that the pam modules update the passwords together.

Is there an easier way to do this with the newer version of Samba? Or maybe LDAP? I've got a blank slate to work with now and would like to avoid the klugey complexities I had to do before.

Thanks in advance,
AC

Here at my location I'm using Red Hat 9 with Samba 3.0. I also have a Win2k AD domain.

Of course all the windows machines(Win2k and XP Pro) authenticate to the AD domain.
I have the Samba server set up as a member of the AD domain and it uses ads security. It also uses Kerberos authentication.
I'm also using winbind which eliminates the need to create Linux user accounts like you normally would to allow the Windows users access to the Linux file system.
On top of that, I have pam set up via winbind to use the AD domain accounts to control console login to the Red Hat box.
I have also set up vsftp to use the AD domain accounts for login. The problem with it is that the users password is still sent unencrypted from the ftp client to the vsftp server so I don't use it. I just wanted to see if it would work.

My point is that I think it would be very easy to have a either an NT PDC or a Win2k AD domain on your network and use it as the only means of authentication. Any Samba server could be set up to authenticate to it along with winbind to avoid creating local user accounts on the server.
It would also be simple to set up any Linux workstation so that console login would authenticate to the Windows domain. The only local account that would need to be on the Linux machine would be root.
Though I haven't tried it, I think that if you're familiar with pam, you could set up ssh to authticate to the Windows domain.

You may also be able to use winbind against a Samba PDC. The Windows machines can join the Samba PDC and authenticate to it just like a Windows domain. All the documentation I've read always refers to using winbind against Windows domain controllers. There's one thread going on in this forum now where a user is using winbind against a Samba PDC. It looks like it should work OK but the user is having trouble with it. Not sure why. The only way to find out for sure is to try it I guess. It would be nice if it did work to avoid the expense of the Windows server license.

Thanks for the input.

I read some of RedHat's Customization doc and it followed what you said. They even have a GUI setup option for "Authenticate on SMB" so I imagine that will do what I want.

Right now it looks like we'll have a samba server, which will do authentication and file sharing. Then I won't even worry about local accounts anymore. I didn't mind the rsync and ssh stuff, but it wasn't foolproof and my users always found a way to break it. This seems much simpler.

I'm building a test network next week in my office and will definitely try all this out (especially that winbind stuff).

Thanks again,
AC

If you are successful using winbind against a Samba PDC, I'd like to know. I thought I read somewhere that winbind would only work against an actual Windows domain controller and not a Samba PDC. But, I haven't been able to find that statement in any of the Samba documentation I have here. It would be nice to eliminate the need for a Windows domain on the network. I just don't have the time or resources to test it here.

Curtas,

Did you ever get this working?

I am in the process of setting up exactly the same environemnt.

If you did, do you have any 'lessons learn't' that you could share?

/craigad

Unfortunately, we have had some internal auditing, so I've been busy with the existing stuff and haven't been able to play with the new stuff.

I spent this weekend writing perl and bat scripts to dump/parse logs. I've also been playing around with domain admin stuff.

I've also been playing with PAMs to get ssh and other things working. I forgot that samba doesn't use PAM with encrypted passwords. DOH! Still working on that fix.

My goal is to get one of the new servers online by mid-Feb, at which point I will have at least tried the aforementioned stuff. I will definitely post if I get it working.

ac

Curtas,

thanks for the info - I am embarking on this is in the next week or so - I will post here as well if I have anything that is an issue / interesting point.


/craigad

craigd,

Are you just looking for help in using Samba/winbind as a single point of login or are you looking for something else?

cowanrl,

yes you are right - I am looking to use samba with a ldap backend on a debian box as a single point of sign on with 12 windows clients and linux client (me!). I have seen plenty of documentation describing the use of samba as an authentication server within an existing windows domain, but none as the only domain controller within the domain servin g windows clients.

This is what I am trying to achieve anyway.

Again, all this work is being done in my own time, with very little testing kit! So progress is slow and I am also not convinced I know how I am going to achieve my end goal yet.

/craigad

My experience using Samba/winbind as a single point of login has always been with a Windows domain controller on the network.

There is one guy who visits this site who has done it with a Samba PDC but it was using the smbpasswd file as the backend.
I believe he is currently working on trying to get it to work using OpenLDAP as the backend. He is going to let me know if he's successful. I'll pass it on to you if I hear from him.

Cowanrl,


that would be most appreciated, thanks!


/craigad