Fedora directory users - Mar 2007 - Samba/Fedora DS/Windows Password Sync

Here at Brooklyn Law School, we use Fedora DS together with a samba 
schema quite succesfully.   All students and most faculty log in to  lab 
computers and desktops  that are members of  a Samba domain. We avoid 
using NT servers as much as possible for open source reasons, but our 
faculty is hoping we can move them to an exchange server running on NT 
2003.  In a test environment, we were able to get password sync 
happening between an NT server and a replica of our DS,  but are 
wondering how to keep our samba passwords updated.  Currently, we have a 
web front end pointed at a perl script loosely based on the smb-ldap 
scripts from IDEALX.  These keep our sambantpassword, sambalmpassword, 
and unix passwords synced. 

 If we continue to use this script to update passwords on Fedora DS, 
will fedora pick up the password and send it down to the windows 
server?  I assume there is not much I could do to get it to work in the 
other direction, which would be ok -- we would require users to continue 
to change their passwords through our web front end.

Any thoughts or suggestions would be greatly appreciated.


Phil Allred

Phil,
After you setup your native windows domain, you can join your samba
server to the domain and configure it to use the domain controller for
authentication.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Phil
Allred
Sent: Thursday, March 08, 2007 9:15 PM
To: fedora-directory-users@redhat.com
Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync

Here at Brooklyn Law School, we use Fedora DS together with a samba 
schema quite succesfully.   All students and most faculty log in to  lab

computers and desktops  that are members of  a Samba domain. We avoid 
using NT servers as much as possible for open source reasons, but our 
faculty is hoping we can move them to an exchange server running on NT 
2003.  In a test environment, we were able to get password sync 
happening between an NT server and a replica of our DS,  but are 
wondering how to keep our samba passwords updated.  Currently, we have a

web front end pointed at a perl script loosely based on the smb-ldap 
scripts from IDEALX.  These keep our sambantpassword, sambalmpassword, 
and unix passwords synced. 

 If we continue to use this script to update passwords on Fedora DS, 
will fedora pick up the password and send it down to the windows 
server?  I assume there is not much I could do to get it to work in the 
other direction, which would be ok -- we would require users to continue

to change their passwords through our web front end.

Any thoughts or suggestions would be greatly appreciated.


Phil Allred

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

Using PassSync, changing the passwords from the AD/NT side will also 
change passwords on the Fedora DS side. It will not however change the 
Samba passwords. If you have "ldap passwd sync = yes" in your Samba 
config, then you can use smbpasswd to change all passwords at the same 
time. If you migrate over to an AD server in place of Samba, you can use 
domain logins and have users change their password in Windows which 
would also change the Fedora DS password as well.

Jeff

Phil Allred wrote:
> Here at Brooklyn Law School, we use Fedora DS together with a samba 
> schema quite succesfully.   All students and most faculty log in to  
> lab computers and desktops  that are members of  a Samba domain. We 
> avoid using NT servers as much as possible for open source reasons, 
> but our faculty is hoping we can move them to an exchange server 
> running on NT 2003.  In a test environment, we were able to get 
> password sync happening between an NT server and a replica of our DS,  
> but are wondering how to keep our samba passwords updated.  Currently, 
> we have a web front end pointed at a perl script loosely based on the 
> smb-ldap scripts from IDEALX.  These keep our sambantpassword, 
> sambalmpassword, and unix passwords synced.
> If we continue to use this script to update passwords on Fedora DS, 
> will fedora pick up the password and send it down to the windows 
> server?  I assume there is not much I could do to get it to work in 
> the other direction, which would be ok -- we would require users to 
> continue to change their passwords through our web front end.
>
> Any thoughts or suggestions would be greatly appreciated.
>
>
> Phil Allred
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-- 
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783

Jeff Gamsby wrote:
>  Using PassSync, changing the passwords from the AD/NT side will also 
> change passwords on the Fedora DS side. It will not however change the 
> Samba passwords. If you have "ldap passwd sync = yes" in your
Samba
> config, then you can use smbpasswd to change all passwords at the same 
> time. If you migrate over to an AD server in place of Samba, you can use 
> domain logins and have users change their password in Windows which 
> would also change the Fedora DS password as well.
Is there a way to sync from AD and then use LDAP authentication for 
Linux boxes that don''t know about AD?  I thought I saw something
earlier
that said the Posix acount information didn''t sync.  If that is true
can
you configure Linux to use whatever password does sync?

-- 
   Les Mikesell
    lesmikesell@gmail.com

> Is there a way to sync from AD and then use LDAP authentication for 
> Linux boxes that don''t know about AD?  I thought I saw something 
> earlier that said the Posix acount information didn''t sync.  If
that
> is true can you configure Linux to use whatever password does sync?
>
Yes, I think that is the preferred method. Have windows users talk to AD 
and Linux users talk to LDAP. You can use LDAP for authentication and to 
store the automount maps for home directories.

I believe that is correct, only passwords, groups, account 
deletion/creation are covered. You wouldn''t want to create accounts on 
the AD side. For example, I have a Fedora DS server that serves 
mail/web/samba authentication, but have an AD server that serves all 
windows domain accounts. The PassSync gives me a way of having a 
"single-sign on" so users only have to change one password. I used to 
use an OpenLDAP/Samba PDC configuration, but this works much better. If 
you still want to use Samba as a file server, you can use Idmap which is 
stored on the LDAP server to maintain the uid/gid mappings to make 
users/permissions almost completely transparent between platforms.


-- 
Jeff Gamsby