samba - Dec 2000 - integrating samba with an NT domain controller

Is it a big ordeal to tell the Samba server
on my Sun box to start using an NT PDC?

Does our NT server group have to do anything
on their end?

And, if I were to start using the NT PDC for
userid/password authentication, would I have
to do any userid/password management on the
Unix box?

Thanks,

Daniel

Hi Daniel,
No, actually it's pretty easy.
In your smb.conf file, change the following lines (or add them, if they are
not there):
workgroup = <your nt domain>
security = domain
encrypt passwords = yes
password server = (your NT domain controller netbios name)

Don, all,

Do you know what I have to do to work with passwords on an MPE/iX system?
Can I work with the /etc/passwd file? How do I create it?
Can I work with the sambapasswd tool?
Can I still work with MPE passwords?

Happy holidays,
TIA,

Eric Jansen
Technical Consultant
Computer Design & Integration, LLC
696 Route 46 West, Teterboro, NJ  07608
Phone:  201-931-1420 x313
Fax:    201-931-0101
Pager:  973-205-1236
eric_jansen@cdillc.com
www.cdillc.com


> -----Original Message-----
> From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
> Sent: Thursday, December 28, 2000 9:25 AM
> To: 'Daniel_Casey@jbhunt.com'; samba@us5.samba.org
> Subject: RE: integrating samba with an NT domain controller
> 
> 
> Hi Daniel,
> No, actually it's pretty easy.
> In your smb.conf file, change the following lines (or add 
> them, if they are
> not there):
> workgroup = <your nt domain>
> security = domain
> encrypt passwords = yes
> password server = (your NT domain controller netbios name)
> 
> From Server Manager on your nt domain, add you samba netbios name as a
> machine account (NT Workstation type, not backup).
> 
> Then you will need to run smbpasswd -j <nt domainname> -r 
> <your NT domain
> controller netbios name>
> 
> You will still require a username in the /etc/passwd or nis 
> database for all
> of you NT users that you expect to access shares on the Unix 
> box, but if
> there only access will be via samba, you won't need to administer any
> passwords for them, except in the nt domain where they are logging in.
> 
> I would suggest you take a look at the 'Using Samba' book 
> from O'Reilly
> publishing; Chapter six goes into more detail on how this 
> works.
> If you go to the url
>    http://us2.samba.org/samba/oreilly/using_samba/
> you can view the entire text online, and there is also a link to 
> purchase the book (which I would advise, as it is the best 
> reference for a
> Samba Administrator I have seen).
> 
> Hope this helps get you started,
> Don
> 
> -----Original Message-----
> From: Daniel_Casey@jbhunt.com [mailto:Daniel_Casey@jbhunt.com]
> Sent: Wednesday, December 27, 2000 3:37 PM
> To: samba@us5.samba.org
> Subject: integrating samba with an NT domain controller
> 
> 
> Is it a big ordeal to tell the Samba server
> on my Sun box to start using an NT PDC?
> 
> Does our NT server group have to do anything
> on their end?
> 
> And, if I were to start using the NT PDC for
> userid/password authentication, would I have
> to do any userid/password management on the
> Unix box?
> 
> Thanks,
> 
> Daniel
> 
>

Hi Eric,
That's a sticky one.  MPE/iX does not HAVE a /etc/passwd or /etc/group file,
or the concept of NIS databases.  The actual user.account security on MPE is
MPE specific.  A LOT of mods into the Samba code are made to get this to
function because of this; many of the posix system calls samba uses (like
setgid, setegid, etc) aren't implemented in the posix that MPE/iX uses,
because MPE/iX security doesn't provide for a 'user' to be in more
than one
'account', so when you change the 'uid' you effectively change
the gid
(which maps to the 'account') as well.  There's lots more, but the
real
simple answer to your question is as follows:

1. If you want your MPE/iX machine to do your login authentication, then all
your clients must have the registry hack that allows them to send cleartext
passwords, and you would need to map your pc usernames to mpe user.account
names via the user.map file. The client, when attaching to an Samba/iX
share, would need to specify the mpe user.account passwords (there is one
for each, userpassword,accountpassword) in the format userpass,acctpass.
2. None of the versions HP supports or supplies (none extant anywhere at
this time, as far as I know) allow you to use the smbpasswd program or
encrypted passwords in 'user' level security.  We ARE investigating how
we
can make this work, but I have no commitments from the labs at this point as
to when this will actually make it into a supported HP version, though I
have made it work with some down and dirty code changes at 2.0.7, and we are
looking at cleaning that up for the supported version in the future.
3. Samba/iX works pretty well in server or domain level security, and 
keeps you from having to deal with the 'messy' cleartext password
issues.
In general, I recommend using server or domain level security, with the
appropriate user.map file to map your pc usernames to the appropriate mpe
username.accountname user(s).

There is a pretty good external HP page that talks about the next version of
Samba/iX that is being worked on, and what you can expect:

      http://jazz.external.hp.com/src/samba/

Hope this helps,
Don
-----Original Message-----
From: Jansen, Eric [mailto:Eric_Jansen@cdillc.com]
Sent: Thursday, December 28, 2000 9:33 AM
To: 'MCCALL,DON (HP-USA,ex1)'; 'Daniel_Casey@jbhunt.com';
samba@us5.samba.org
Subject: RE: integrating samba with an NT domain controller


Don, all,

Do you know what I have to do to work with passwords on an MPE/iX system?
Can I work with the /etc/passwd file? How do I create it?
Can I work with the sambapasswd tool?
Can I still work with MPE passwords?

Happy holidays,
TIA,

Eric Jansen
Technical Consultant
Computer Design & Integration, LLC
696 Route 46 West, Teterboro, NJ  07608
Phone:  201-931-1420 x313
Fax:    201-931-0101
Pager:  973-205-1236
eric_jansen@cdillc.com
www.cdillc.com


> -----Original Message-----
> From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
> Sent: Thursday, December 28, 2000 9:25 AM
> To: 'Daniel_Casey@jbhunt.com'; samba@us5.samba.org
> Subject: RE: integrating samba with an NT domain controller
> 
> 
> Hi Daniel,
> No, actually it's pretty easy.
> In your smb.conf file, change the following lines (or add 
> them, if they are
> not there):
> workgroup = <your nt domain>
> security = domain
> encrypt passwords = yes
> password server = (your NT domain controller netbios name)
> 
> From Server Manager on your nt domain, add you samba netbios name as a
> machine account (NT Workstation type, not backup).
> 
> Then you will need to run smbpasswd -j <nt domainname> -r 
> <your NT domain
> controller netbios name>
> 
> You will still require a username in the /etc/passwd or nis 
> database for all
> of you NT users that you expect to access shares on the Unix 
> box, but if
> there only access will be via samba, you won't need to administer any
> passwords for them, except in the nt domain where they are logging in.
> 
> I would suggest you take a look at the 'Using Samba' book 
> from O'Reilly
> publishing; Chapter six goes into more detail on how this 
> works.
> If you go to the url
>    http://us2.samba.org/samba/oreilly/using_samba/
> you can view the entire text online, and there is also a link to 
> purchase the book (which I would advise, as it is the best 
> reference for a
> Samba Administrator I have seen).
> 
> Hope this helps get you started,
> Don
> 
> -----Original Message-----
> From: Daniel_Casey@jbhunt.com [mailto:Daniel_Casey@jbhunt.com]
> Sent: Wednesday, December 27, 2000 3:37 PM
> To: samba@us5.samba.org
> Subject: integrating samba with an NT domain controller
> 
> 
> Is it a big ordeal to tell the Samba server
> on my Sun box to start using an NT PDC?
> 
> Does our NT server group have to do anything
> on their end?
> 
> And, if I were to start using the NT PDC for
> userid/password authentication, would I have
> to do any userid/password management on the
> Unix box?
> 
> Thanks,
> 
> Daniel
> 
>