Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and reading lots of information about account management to try and understand what is available, and what would be the best fit for my network size. Much of what I have read is related to larger networks or larger user bases, which seem to have a lot of extraneous stuff that would be unnecessary in my small user environment. I looked into OpenLDAP, and have recently been reading about Samba/Winbind. But after encountering the following statement in the Samba documentation, I am still lost about what I could, or should, be using. "A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain. By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest." My only goal is to be able to allow my users to change their Windows password at their workstation and have it perpetuate through the system so that it also changes their Linux User and Samba User account passwords. I don't expect to ever have more than a dozen users, so I want something that fits our size network and is simple to administer. I am not looking for a how-to to set something up, but some opinions about what I should consider using, and why it would be a good fit to achieve my goal. I can do the additional research to understand configuration once I know what I should be researching. Thanks. Please cc me directly, as I only get the list in daily digest mode. Jeff Boyce Meridian Environmental
m.roth at 5-cent.us
2011-Apr-21 18:51 UTC
[CentOS] User accounts management for small office
Jeff Boyce wrote:> Greetings - > > This may be a little off-topic here so if someone wants to point me to a > more appropriate mailing list I would appreciate it.<snip>> The issue that I would like to be able to resolve when the new server is > installed, is that currently if a user wants to change the password on > their Windows workstation, I have to manually update that new passwordon the> Linux user account, and also manually change the Samba user account. > Manually updating the password in three different locations is a minor > headache that I would like to correct. I have been researching and<snip> You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching. However, I did put it in in '06 for what wound up to be about 14 or 15 folks, and it worked, and they could change passwords themselves. mark
On 4/21/2011 1:39 PM, Jeff Boyce wrote:> Greetings - > > This may be a little off-topic here so if someone wants to point me to a > more appropriate mailing list I would appreciate it. > > I administer the network for my small company and am preparing to install a > new server in the next month or so. It will be running CentOS 6 and > function primarily as a Samba file server to 10 Windows workstations (XP, > Vista, 7). It will also host our OpenVPN server and possibly our FTP > server; however I am hoping to move our FTP server to a gateway box when the > new server is installed.Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them. -- Les Mikesell lesmikesell at gmail.com
I'd say base it on OpenLDAP. As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf: <http://freshmeat.net/projects/cgipaf/> Although you already have to provide your old password to do an update, putting it behind http-basic authentication will allow you to use things like fail2ban to protect against brute forcing. Devin
----- Original Message ----- From: "Jeff Boyce" <jboyce at meridianenv.com> To: <centos at centos.org> Sent: Thursday, April 21, 2011 11:39 AM Subject: User accounts management for small office> Greetings - > > This may be a little off-topic here so if someone wants to point me to a > more appropriate mailing list I would appreciate it. > > I administer the network for my small company and am preparing to install > a new server in the next month or so. It will be running CentOS 6 and > function primarily as a Samba file server to 10 Windows workstations (XP, > Vista, 7). It will also host our OpenVPN server and possibly our FTP > server; however I am hoping to move our FTP server to a gateway box when > the new server is installed. > > The issue that I would like to be able to resolve when the new server is > installed, is that currently if a user wants to change the password on > their Windows workstation, I have to manually update that new password on > the Linux user account, and also manually change the Samba user account. > Manually updating the password in three different locations is a minor > headache that I would like to correct. I have been researching and > reading lots of information about account management to try and understand > what is available, and what would be the best fit for my network size. > Much of what I have read is related to larger networks or larger user > bases, which seem to have a lot of extraneous stuff that would be > unnecessary in my small user environment. I looked into OpenLDAP, and > have recently been reading about Samba/Winbind. But after encountering > the following statement in the Samba documentation, I am still lost about > what I could, or should, be using. > "A standalone Samba server is an implementation that is not a member of a > Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba > domain. By definition, this means that users and groups will be created > and controlled locally, and the identity of a network user must match a > local UNIX/Linux user login. The IDMAP facility is therefore of little to > no interest, winbind will not be necessary, and the IDMAP facility will > not be relevant or of interest." > > My only goal is to be able to allow my users to change their Windows > password at their workstation and have it perpetuate through the system so > that it also changes their Linux User and Samba User account passwords. I > don't expect to ever have more than a dozen users, so I want something > that fits our size network and is simple to administer. I am not looking > for a how-to to set something up, but some opinions about what I should > consider using, and why it would be a good fit to achieve my goal. I can > do the additional research to understand configuration once I know what I > should be researching. Thanks. Please cc me directly, as I only get the > list in daily digest mode. > > Jeff Boyce > Meridian Environmental > > >Thanks to everyone that replied, you have helped me understand what direction I should be going (or staying away from). Here are the highlights and my comments to some of the suggestions that were provided, since I can't respond to every thread from the digest. The opinions both for and against OpenLDAP have made me take a little closer look at it, but my conclusion is that it is more cumbersome than what I really want to handle right now for the size of the network. I have looked closer at Samba/Wins/Winbind, etc. and it looks like the main source of my current problem is that my Samba network is setup now as a Workgroup and not as a Domain. I didn't understand that difference when I ran across the quote I included above. It looks like if I change to a Domain and configure it properly with Wins/Winbind that I should be able to have the single point password changing option occur from the Windows desktop. I am now re-reading sections of my copy of the Definitive Guide to Samba 3 which should help me (although it was published before Vista and 7, which all my workstations are now). Also thanks to some for the suggestions of using ClearOS or Webmin. I do have Webmin installed and use it for some of my administrative functions. So if I do try playing around with OpenLDAP I will certainly see if it will reduce my learning curve on getting it setup properly. With the new gateway box that I mentioned above, I have been planning on installing ClearOS on it, so I will take a look at how it might be used to learn about using LDAP. Although I was thinking to have this box function more strictly as a gateway than providing services to the internal lan. Jeff