Edward Yantis
2002-Jul-12 20:23 UTC
[Samba] Comments / suggestions wanted - Winbind, 2K, and user Homes
I have a single AD domain with 4 domain controllers (win2k-not native mode). I want all users to login to AD (clients from 98 to XP - no linux clients yet). This is a school network with 4 campuses connected by wireless links (hence the 4 domain controllers) and I would like to put a samba server at each location for student home directories (basically a NAS setup to start with). There will be no need to access win2k shares from linux machines. Can Samba/winbind create the user's home directories automatically with out creating a linux account on the samba server? I have about 1400 accounts that I have to manage by myself and do not want to have to deal with accounts on multiple systems. (assuming samba/winbind can create the home directories or they can be created via a script) Since all users are in the same AD domain, how can I ensure that only the home directories for a particular campus get created on the corresponding server? I have the users separated in the AD with an OU for each campus. Thanks for any comments or suggestions. Yantis
Andrew Bartlett
2002-Jul-14 07:52 UTC
[Samba] Comments / suggestions wanted - Winbind, 2K, and user Homes
Edward Yantis wrote:> > I have a single AD domain with 4 domain controllers (win2k-not native mode). I want all > users to login to AD (clients from 98 to XP - no linux clients yet). > > This is a school network with 4 campuses connected by wireless links (hence the 4 domain > controllers) and I would like to put a samba server at each location for student home > directories (basically a NAS setup to start with). There will be no need to access win2k > shares from linux machines.Samba is run in many NAS boxes - doing your own should not be a problem :-)/> Can Samba/winbind create the user's home directories automatically with out creating a > linux account on the samba server? I have about 1400 accounts that I have to manage by > myself and do not want to have to deal with accounts on multiple systems. > > (assuming samba/winbind can create the home directories or they can be created via a > script) Since all users are in the same AD domain, how can I ensure that only the home > directories for a particular campus get created on the corresponding server? I have the > users separated in the AD with an OU for each campus. > > Thanks for any comments or suggestions.Should be possible with either Samba 2.2 or Samba HEAD (featuring LDAP and kerberos based ADS support, as opposed to RPC and NTLM in 2.2). If you use pam_winbind to create the home directories, they will be created on demand, and won't appear on the 'wrong' server unless sombody logs into it. The extra accounts will appear, but that should not be an issue. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Buchan Milne
2002-Jul-15 04:11 UTC
[Samba] Comments / suggestions wanted - Winbind, 2K, and user Homes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Message: 15 | Date: Fri, 12 Jul 2002 14:06:44 -0500 | From: Edward Yantis <yantis@hyperhog.net> | To: samba@lists.samba.org | Subject: [Samba] Comments / suggestions wanted - Winbind, 2K, and user Homes | | I have a single AD domain with 4 domain controllers (win2k-not native mode). I want all | users to login to AD (clients from 98 to XP - no linux clients yet). | | This is a school network with 4 campuses connected by wireless links (hence the 4 domain | controllers) and I would like to put a samba server at each location for student home | directories (basically a NAS setup to start with). There will be no need to access win2k | shares from linux machines. | | Can Samba/winbind create the user's home directories automatically with out creating a | linux account on the samba server? I have about 1400 accounts that I have to manage by | myself and do not want to have to deal with accounts on multiple systems. Yes, see pam_mkhomedir, which you will need to add a session section for each service that should be able to create home directories in the services /etc/pam.d/ file (/etc/pam.d/samba for samba). You will also need to add "obey pam restrictions = yes" to your smb.conf to make samba use the entry. A sample system-auth-winbind (suitable to replace /etc/pam.d/system-auth for use for full authentication via winbind, or you can replace "service=system-auth" with "service=system-auth-winbind" selectively) is available in the packaging/Mandrake directory of the samba source. It includes a pam_mkhomedir example, and should work if your existing /etc/pam.d/samba file uses pam_stack with service=system-auth. | | (assuming samba/winbind can create the home directories or they can be created via a | script) Since all users are in the same AD domain, how can I ensure that only the home | directories for a particular campus get created on the corresponding server? I have the | users separated in the AD with an OU for each campus. | This I think would only be possible with seperate domains, as pam_mkhomedir does not create parent directories, so you could create a parent directory for the domain you want to support. I don't know if it is possible with different OUs in AD, though definitely not via winbind. You may be able to access your AD domian via nss_ldap or pam_ldap, and use a filter on each machine. Thus, you would be doing user/group enumeration by LDAP and authentication via winbind. I am not how well that works with AD, but this is what we do with a samba PDC and openldap. You might need the unix extensions for AD, but then you have no reason to use LDAP (which does uidNumber/gidNumber<->rid, which has no purpose if you store uidNumber/gidNumber in AD. Buchan - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9Mq18rJK6UGDSBKcRAh9YAKCCJTj9JlvLL7n9obR1ehykblv96wCfQV6v A3+kQMkMyA2wXCfegxtkgMI=o17+ -----END PGP SIGNATURE-----