We have a network with Windows NT/2000, SGI's, Linux, Macintosh, AIX. Our user account/passwords for all our machines is handled by NIS on an AIX machine. Our unix machines autheticate through NIS. Our windows machines authenticate by loging on to an NT server acting as the PDC, and that PDC has a service installed on it called "WinDD NIS" (made by Tektronix I think) which contacts the NIS server and validates user passwords. However WinDD will not work with Windows 2000 clients, and we are upgrade to windows 2000, so we have to come up with a solution. Our first idea is to scratch the Windows PDC and go with a Linux/Samba PDC. However, we seem to be coming to the realization that samba will not work with NIS, simply because they use different password encryption. Is this true? does anyone out there use samba PDC with NIS? Or do we have to switch from NIS to NIS+? Does NIS+ use the same encryption as samba and therefore work with samba PDC? Any ideas are welcome. Thanks in advance, Alex ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Alex Lazarevich Systems Administrator Imaging Technology Group, http://www.itg.uiuc.edu Beckman Institute, http://www.beckman.uiuc.edu 405 N. Mathews, Urbana IL 61801 USA Ph: (217)244-1565 e-mail: alazarev@itg.uiuc.edu _________________________________________________
I've found a few things saying that samba PDC with NIS will work. But do the samba service and master NIS service need to be on the same machine? Any help is appreciated, Alex On Wed, 7 Nov 2001, Alexander Lazarevich wrote:> We have a network with Windows NT/2000, SGI's, Linux, Macintosh, AIX. Our > user account/passwords for all our machines is handled by NIS on an AIX > machine. > > Our unix machines autheticate through NIS. Our windows machines > authenticate by loging on to an NT server acting as the PDC, and that PDC > has a service installed on it called "WinDD NIS" (made by Tektronix I > think) which contacts the NIS server and validates user passwords. However > WinDD will not work with Windows 2000 clients, and we are upgrade to > windows 2000, so we have to come up with a solution. > > Our first idea is to scratch the Windows PDC and go with a Linux/Samba > PDC. However, we seem to be coming to the realization that samba will not > work with NIS, simply because they use different password encryption. Is > this true? does anyone out there use samba PDC with NIS? Or do we have > to switch from NIS to NIS+? Does NIS+ use the same encryption as samba and > therefore work with samba PDC? > > > Any ideas are welcome. Thanks in advance, > > Alex > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Alex Lazarevich > Systems Administrator > Imaging Technology Group, http://www.itg.uiuc.edu > Beckman Institute, http://www.beckman.uiuc.edu > 405 N. Mathews, Urbana IL 61801 USA > Ph: (217)244-1565 e-mail: alazarev@itg.uiuc.edu > _________________________________________________ > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Alex,> thanks for the response christian. this sounds promising. is > there any chance i could see your smb.conf file, or at least > the parts that deal with samba pointing to the NIS?samba is not pointing to NIS. You install it on the NIS-master like on every other system. Your are just able to keep the passworts in sync on the NIS-master, because samba is able to change the unix password when ever the samba password is changed. And the change of the unix passwort is put into nis. (You don't have the old clear text password mostley needed to change the nis password directly from samba).> ive had a hell of a time finding any > documentation on it. does /etc/shadow help to get around the plaintext > password (NIS) vs. encrypted password (samba) problem?No. You will have to use both at the same time. On systems with shadow passworts the passworts are not stored in the world readable /etc/passwd but in the root only /etc/shadow, nothing related to samba. Attached you find my smb.conf.> > thanks, > > alex > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Alex Lazarevich > Systems Administrator > Imaging Technology Group, http://www.itg.uiuc.edu > Beckman Institute, http://www.beckman.uiuc.edu > 405 N. Mathews, Urbana IL 61801 USA > Ph: (217)244-1565 e-mail: alazarev@itg.uiuc.edu > _________________________________________________ > > > On Thu, 8 Nov 2001, Christian Barth wrote: > > > > I've found a few things saying that samba PDC with NIS will work. But do > > > the samba service and master NIS service need to be on the same machine? > > Yes it will work. We do the same here. You have to use /etc/shadow > > (/etc/passwd) as source for NIS and .../private/smbpasswd for the > > PDC. If the NIS master and the PDC are the same machine you can > > easely keep accounts (using your custem skripts) and password (using > > "unix passwd sync" in smb.conf) in sync. > > > > With "unix passwd sync" the samba (the smbpasswd comand) changes the > > unix password every time the encrypted password is changed. Mostly > > yppasswd needs the old passwort to change the password even if > > running as root. So you have to use passwd in the passwd chat in > > smb.conf and push your NIS maps with cron or with in the chat. For > > normal users of the NIS mater you can link the passwd command to the > > smbpasswd command, so that they change both of their password at > > once. On the NIS clients you should disable passwd, yppasswd and tell > > the users to change their password on the master. Or you install a > > basic samba there and use smbpasswd (havn't tried the last one). > > > > Christian > > > > @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ > > @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) > > @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ > > / Y \| \|/ /(_) \| |/ | > > \ | \ |/ | / \ | / \|/ |/ \| \|/ > > jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > >_(_)_ wWWWw _ @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ / Y \| \|/ /(_) \| |/ | \ | \ |/ | / \ | / \|/ |/ \| \|/ jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -------------- next part -------------- [global] # # Allgemeines # workgroup = FBK42 server string = FBK Unix file and print server ; hosts allow = debug level = 0 # Das Default f?r die Logdatei ist /usr/local/samba/var/log.smb und log.nmb # F?r das Debuggen von Problemen ist es aber n?tzlich die diversen Variablen, # z. B. %m, %U einzubauen. Aus Sicherheitsgr?nden sollten diese immer # hinter log. stehen, nicht davor. Also z.B. log.%m, NIEMALS %m.log !! # Da %m vom Clienten frei definierbar ist, ist damit besondere Vorsicht geboten. # log file = /usr/local/samba/var/log.%U max log size = 200 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 name resolve order = host wins bcast time server = True # Notwendig f?r den Gast-Zugang zum CD-ROM: # map to guest = Bad User # Wenn unbenutzt auskommentieren! # # Browsing und vergleichbares # local master = yes os level = 65 domain master = yes preferred master = yes wins support = yes wins proxy = yes dns proxy = no remote announce = 131.246.15.255 # # Rechte, Schreibweisen, Locking, .... # create mask = 0771 directory mask = 0770 security mask = 0777 directory security mask = 0777 inherit permissions = yes # Das ist seit 2.0.7 notwendig, sonst wird das s-Bit nicht sauber vererbt. CB short preserve case = No # spnn meckert wenn Dateiendungen nach dem Auspacken gro? sind. CB veto files = /lost+found/ locking = yes oplocks = true level2 oplocks = true blocking locks = true # # Erweiterung zur Handhabung der Dateinamen # # Allein der "character set" Eintrag reicht aus, damit Umlaute in den Dateinamen # unter NT und Linux richtig angezeigt werden. Damit werden aber alle bestehenden # Dateinamen falsch angezeigt. Es kann so gar vorkommen, dass die Dateien dann unter # NT garnicht mehr angezeigt werden!! CB # character set = iso8859-1 # client code page = 437 # Das hat zwar GO so, ist aber laut ManPage falsch. CB # # NT Domain ... # domain logons = yes logon path = \\fbk\profiles logon drive = h: logon script = startnet.bat ### Tests wg. Geschwindigkeit write cache size = 262144 read size = 65536 read prediction = true # letzteres hat angeblich keinen Einfluss mehr ##################################################################################### # # Damit das unix password sync funktioniert mu?te f?r 1.9.18p10 die Datei # source/chagpasswd.c vor dem compalieren editiert werden! # Dies ist bei Neucompalierungen (anderer Versionen zu beachten!) # F?r 2.0.0beta1 war das nicht mehr n?tig # Allerdings ist RedHAT wg. PAM empfindlich was den Passwortwechsel betrifft: # Anzahl der Buchstaben die gleichbleiben, ... zur?ckwechseln auf das alte, .. # # Vieleicht ist das auch ein "Time-Out"-Problem. bei 2.0.0beta2 hat es evtl. # etwas genutzt den entsprechenden Wert in source/smbd/chagpasswd.c von 4 auf # 6 oder 8 sec zu erh?hen. (?) # # Scheint immer noch aufzutreten. Deshalb beim Compalieren von samba-2.0.6 und 2.0.7 wiederum # chagpasswd.c editiert um das Timeout drastisch zu erh?hen. (Zeilen 213 und 224) # CB, 7.12.99 # #################################################################################### unix password sync = True # debug level = 100 # passwd chat debug = true passwd chat = *New*password* %n\n *new*password* %n\n *updated\ssuccessfully* passwd program = /usr/bin/passwd.unix %u # # passwd was renamed to passwd.unix and /usr/bin/passwd is a link to /usr/local/samba/bin/smbpasswd # # Just for the useres to keep it simple. # # I use a cron job that dose a "cd /var/yp; make" every 15 minutes to push the NIS maps # # and changed passwords. # # I have seen "passwd program = /usr/bin/passwd.unix %u ; cd /var/yp; make" aswell #################################################################################### #============================ Share Definitions ============================= [printers] path = /var/spool/samba printing = bsd # lpq command = /usr/bin/lpq -P%p lpq command = /bin/echo lprm command = /usr/bin/lprm -P%p %j # print command = /usr/bin/lpr -r -s -P%p %s print command = /usr/local/samba/bin/print %p %s %m printable = true [homes] comment = Home Directories valid users = %S # [homes] erzeugt shares der Art [<username>] # Zu jeder share kann jeder user verbinden, auch zu den Systemaccounts !! # obiger Eintrag verhindert das invalid users = root browsable = no writable = yes map hidden = yes map system = yes [u1] comment = 1. Benutzerplatte path = /u1 browsable = yes writable = yes map hidden = yes map system = yes [u2] comment = 2. Benutzerplatte path = /u2 browsable = yes writable = yes map hidden = yes map system = yes [FBK] comment = FBK Austausch und Allgemein Verzeichnis path = /FBK browsable = yes writable = yes map archive = no [Archiv] comment = Eher statische Dinge path = /archiv browsable = yes writable = yes map archive = no [space] comment = Auslagerungsverzeichnise path = /space browsable = yes writable = yes map archive = no [Program] comment = Programmverzeichnis # Eigentlich geh?hrt "biff" ja zu [homes], aber da scheint es # machmal selbstst?ndige und damit doppelte Verbindungen zu geben. # Jetzt hoffe ich, das das wenig benutzte [Program] auch brav # verbunden wird. Vgl. Dazu auch \\fbk\netlogon\startnet.bat preexec = /usr/local/samba/bin/biff %u %m %H & postexec = /usr/local/samba/bin/biff.stop %u %m & path = /archiv/Programme browsable = yes writable = yes map archive = no [cdrom] comment = Das Server CD-ROM preexec = mount /cdrom postexec = umount /cdrom path = /cdrom browsable = no writable = no map archive = no map hidden = no map system = no fake oplocks = yes # fstype = CDFS # public = yes # Siehe daf?r auch "map to guest" in [global] [profiles] comment = Share f?r die NT-Profile path = %H/profile browsable = no writeable = yes map hidden = yes map system = yes [profiles2] comment = Share f?r OS-Abh?nigie Profile path = %H/profile.%a browsable = no writeable = yes map hidden = yes map system = yes [netlogon] comment = Net Logon Service path = /usr/local/samba/netlogon writeable = no public = no locking = no share modes = no map hidden = yes map system = yes # Aenderungen fuer die Policies browseable = yes case sensitive = no preserve case = yes default case = yes [htdocs] comment = WWW-Daten path = /usr/local/apache/htdocs guest ok = no read only = no create mask = 0774 directory mask = 0775 map archive = no map hidden = no map system = no browsable = no short preserve case = Yes # [test] # comment = Christian's Testshare # path = /u1/barth/temp/spd # browsable = no # writable = yes # locking = yes # oplocks = true # level2 oplocks = true # blocking locks = true
Hi Alexander, The way update encrypted works is that your windows users, when they attempt to access your samba server, negotiate cleartext password in the smb negotiate protocol call that the client makes. So the username and password that the user has is sent cleartext to samba; samba then encrypts the password in standard unix 1way encryption and validates it against the /etc/passwd file password. If this matches, it allows access, AND then encrypts the plaintext password it now has into the lm and nt password hashes that go into the smbpasswd file. Once all of your users have successfully accessed samba, and thus have their encrypted passwords in smbpassword, you can then turn OFF update encrypted, and change encrypt passwords from NO to YES. Hope this helps, Don -----Original Message----- From: Alexander Lazarevich [mailto:alazarev@hera.itg.uiuc.edu] Sent: Friday, November 09, 2001 1:03 PM To: Todd Pfaff Cc: Christian Barth; samba@samba.org Subject: Re: samba PDC with NIS, or other solution? we can allow cleartext, no problem (we've been using nis for years). and i can't/won't crack 600 passwords. i just want to avoid telling 600 people that they have to re-enter their passwords, and i think i get the idea that it's possible, but i just dont understand it yet. if there is no way to get encrypted passwords into the smbpasswd file, then, if what im what to do is possible, there must be some other way to get cleartext passwords into the smbpasswd file. so how do i get my encrypted NIS file -> cleartext -> smbpasswd? wait a second, i just read your email again and i think i got it: i use that script to generate the smbpasswd file (minus the passwords). then i set the smb.conf with 'update encrypted = yes'. then force all my clients to send cleartext passwords. will this do what i want? if so, then how does samba validate a user who is loging on if that user's password is not in the smbpasswd file? if it works this way, then anyone could login (assuming they know a user alias name), submit any password they want and take control over that persons logon. it must not work this way. that would be a huge security hole. what am i misunderstanding? or do i just have to make all my users re-enter their passwords? once that's done, i would be set to go... thanks as always, alex --- --- Alex Lazarevich | Systems | Imaging Technology Group alazarev@itg.uiuc.edu | (217)244-1565 | www.itg.uiuc.edu --- --- On Fri, 9 Nov 2001, Todd Pfaff wrote:> On Fri, 9 Nov 2001, Alexander Lazarevich wrote: > > > im still unclear as to how, or if, i can get the current /etc/passwdfile> > from the current NIS master onto the new samba PDC (which will become > > the new NIS master). in one of your emails you mentioned something abouta> > script that comes with the samba source that will create the smbpasswd > > from disabled accounts. what is this script called? is there an man/docs > > on it? will this script take an /etc/passwd file from an NIS master an > > create a smbpasswd file from it? that seems too good to be true... > > The script that he mentions is for populating your smbpasswd file with > all existing account information except for the encrypted password field. > I don't know what the name of the script is that Christian is referring to > but I've attached the one I wrote myself, and you could probably write > such a script yourself. I also run a linux server as an NIS master and a > samba PDC. I call the attached script from my NIS makefile to update the > smbpasswd file whenever I modify passwd and run an NIS make. > > There is no way to directly convert the unix encrypted passwords to smb > encrypted passwords other than cracking each password to get the > cleartext equivalent and then creating the smbpasswd encrypted > equivalent. Of course, this may not work for all passwords. > > The alternative method provided by samba relies on several things... > - your smb client will use cleartext passwords if the server allows > - the samba server has been configured to allow cleartext passwords > - you have set 'update encrypted' appropriately in smb.conf > > Read the docs to figure out how to ensure the above conditions. > > If you can't allow cleartext passwords on your network then this method > will not work for you. > > -- > Todd Pfaff \ Email: pfaff@mcmaster.ca > Computing and Information Services \ Voice: (905) 525-9140 x22920 > ABB 132 \ FAX: (905) 528-3773 > McMaster University \ > Hamilton, Ontario, Canada L8S 4M1 \ >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba