Hi all. I'm running 1.9.17p1 on two Linux boxes, each having three shares available to a group of NT 3.51 and 4.0 workstation SP3/5 boxes. Also one of the NT boxes is sharing a printer and three local shares. There is no NT server available on the network. My user's have some unexpected complaints that I hoped someone could help me with. 1. Three shares per machine is becomming too many to manage. The users get confused as to which drive letter goes to which machine/share. Is there a better way to define how the drives and shares are layed out, so its easier from a user perspective? 3. Is there a way to manage the list of users that are on each machine, rather than modifying the Linux box directly? Is it possible to have a common place to store the list of users that will be using the shares? In other words, the user has to log into his local machine, then use the filemanage to connect to the share, and also specify the username that he will be connecting as. It then prompts him for a passwd. How can I have the user simply log into the local NT box, and automagically be allowed to connect to the remote linux shares, and not have to specify a password? I tried working with the netlogon scripts, but I could not get it working. Is this the proper method to define drive mappings when the user logs in? Would I be better off creating a login script for each user on the local machines, that defines which shares the user can connect to, and which drive it maps to? Possibly someone could provide an example? 3. Continuing with the last question, is it possible to have a central machine that contains all usernames? It seems one user can log in to different machines in the office, so I must provide login IDs for each user at each of the 15 or so machines.. This is very time consuming, and passwords need to be changed at each station. Is this the purpose of NT server? 4. Does anyone have any experience with Apache and samba? It seems the users are having problems using Composer, and 'Publishing' the documents to the web server. I don't have all the details at this point, but I hoped someone might know of a refernce to find more information on this topic.. I'm really looking forward to any ideas you might have. Thanks, Dave Wreski
I'll take a stab at this question. I'm curious what other people think about these problems.>1. Three shares per machine is becomming too many to manage. The users >get confused as to which drive letter goes to which machine/share. Is >there a better way to define how the drives and shares are layed out, so >its easier from a user perspective?I'm not sure exactly what you mean. I'm assuming that you have 6 drive letters (say, G through M) mapped to the six shares, three on each Linux machine. Is the problem that users have trouble remembering which drive letter is mapped to which share? If that's the case, here's some possible solutions: 1) If the programs they are using support them, use UNC names (\\SERVERNAME\SHARENAME). I find that sometimes these are easier for people to remember than single driveletters. 2) You could change the 6 shares to 2 shares-- one on each Linux machine. If access privileges are different for each share you can govern access using UNIX privilages. This would mean users only need to remember two driveletters or sharenames. 3) You could encourage users to access the drives through the network neighborhood or through shortcuts you add to all profiles. I find that most of my users have an easier time navigating the Network Neighborhood than remembering driveletters or share names. It also encourages an understanding of what the network looks like, from a Windows perspective at least.>3. Is there a way to manage the list of users that are on each machine, >rather than modifying the Linux box directly? Is it possible to have a >common place to store the list of users that will be using the shares? In >other words, the user has to log into his local machine, then use the >filemanage to connect to the share, and also specify the username that he >will be connecting as. It then prompts him for a passwd. > >How can I have the user simply log into the local NT box, and >automagically be allowed to connect to the remote linux shares, and not >have to specify a password?One solution is to set "hosts allow" to only allow access by the IP addresses used by your Windows NT machines, "security = server" and "password server = %m". This would cause passwords to be validated by asking the connecting machine if the password is valid. This is, obviously a HUGE security risk and can only be used of you trust the connecting machine to correctly authenticate users. It only works if you completely trust your users, you are on an isolated network, and/or only you (or other trusted users) have the right to add users to the Windows NT machines. It is still not optimium security-- someone may be able to access your machine remotely by spoofing an IP address. Depending on your security needs, this solution may be adequate, though. You could then use "write list", "read list" and/or UNIX file permissions to regulate specific types of access.>I tried working with the netlogon scripts, but I could not get it working. >Is this the proper method to define drive mappings when the user logs in? >Would I be better off creating a login script for each user on the local >machines, that defines which shares the user can connect to, and which >drive it maps to? Possibly someone could provide an example?Do you mean the script specified by the "logon script" parameter? Somebody correct me if I'm wrong, but I thought that currenlty only worked with Windows 95 clients. You could manually specify a logon script in everybody's profile, but since you are only using NT Workstation, you would have to do this for every user on every machine.>3. Continuing with the last question, is it possible to have a central >machine that contains all usernames? It seems one user can log in to >different machines in the office, so I must provide login IDs for each >user at each of the 15 or so machines.. This is very time consuming, and >passwords need to be changed at each station. Is this the purpose of NT >server?This is indeed the purpose of an NT server. Actually, if you have 15 machines running NT workstation, you should seriously consider running NT server. As much as I like using non M$ solutions when I can, this is a case where you will probably save a lot of grief by running NT server. This statement comes from experience. You will be able manage accounts centrally. This will also solve the password problem in the last question-- if you set the NT server to be the password server, your users will be able to transparently connect to the Linux servers. There is an effort to reverse engineer the protocol used to implement NT distributed security. Samba (or some other system) may some day allow you to implement centralized security from a non-NT machine. NT 5.0 promises to allow Kerberos to be used as an authentication option. If that actually happens you can run the Kerberos principle database on your Linux machine and handle all passwords from there.>4. Does anyone have any experience with Apache and samba? It seems the >users are having problems using Composer, and 'Publishing' the documents >to the web server. I don't have all the details at this point, but I >hoped someone might know of a refernce to find more information on this >topic..Without any more info I can't help you, other to say that I am running both Apache and Samba with no obvious problems. g'luck, -john. ...................................................................... . . .....John.D.Blair... mailto:jdblair@uab.edu phoneto:205.975.7123 . . http://frodo.tucc.uab.edu faxto:205.975.7129 . ..sys|net.admin.... . . the university computer center ..... ..... g.e.e.k.n.i.k...the.university.of.alabama.at.birmingham....
At 05:17 PM 10/12/97 +1000, Dave Wreski wrote:> >Hi all. I'm running 1.9.17p1 on two Linux boxes, each having three shares >available to a group of NT 3.51 and 4.0 workstation SP3/5 boxes. Also one >of the NT boxes is sharing a printer and three local shares. There is no >NT server available on the network. > >My user's have some unexpected complaints that I hoped someone could help >me with. > >1. Three shares per machine is becomming too many to manage. The users >get confused as to which drive letter goes to which machine/share. Is >there a better way to define how the drives and shares are layed out, so >its easier from a user perspective?This is a management problem which will also occur on a WinNTserver setup. Although you can arrange it any way you want, there are some practices that can make it easier. One of them is a common files system approach. I use this myself. For a small number of servers, it is quite convenient, provided that the LAN isn't too crowded. I use NFS to create a common files system between two of my Linux servers. On each server, the directory structure looks identical.I have two home directories, one for STAFF and another for USERS. Using NFS, and a series of sym-links, both home branches appear as if they were on the same machine. They are not. Each one is on a different machine. Now recall that Samba will share out an NFS mounted file system. Both machines share out the same [homes] directories, except that the STAFF directories will only share RW from the STAFF machine. On the client-side, I permanently mount U:\ as the users home directory. All their user-specific stuff is there. Users do not use local storage for their workspace. For my accounting staff, I have a LEDGERS directory which is forced to an accounting uuid and gid. Of course, I have controls on who can mount that share. I then tell them that U: is for USER and L: is for LEDGERS. Most of my users do not know how to mount and dis-mount shares, although some are learning. Windows applications are loaded locally for each WinNTworkstation, this is why there is no local storage available, it's filled with MS-bloatware. Besides, it also makes back-ups easier. The performance hit is minimal, on a 100baseTX FDX LAN, since the LAN is almost as fast as the server's hard-drives. I also have workgroup directories mounted under W:\, for Working Group, and mount the appropriate share for the users primary gid at that location. I've assigned P:\ as a corporate public share and F:\ as the FTP area, assigning the appropriate directory from the NFS space..>3. Is there a way to manage the list of users that are on each machine, >rather than modifying the Linux box directly? Is it possible to have a >common place to store the list of users that will be using the shares? In >other words, the user has to log into his local machine, then use the >filemanage to connect to the share, and also specify the username that he >will be connecting as. It then prompts him for a passwd. > >How can I have the user simply log into the local NT box, and >automagically be allowed to connect to the remote linux shares, and not >have to specify a password?This one is more difficult. I ran into some severe security bugs, with WinNTws40SP3 and require users passwords on login. I don't have the time to explain it, but this is a more secure approach, especially if any of your machines are shared among multiple users, which some of mine are.>I tried working with the netlogon scripts, but I could not get it working. >Is this the proper method to define drive mappings when the user logs in? >Would I be better off creating a login script for each user on the local >machines, that defines which shares the user can connect to, and which >drive it maps to? Possibly someone could provide an example?I set it up once, for each user, and they're permanently connected at start-up.>3. Continuing with the last question, is it possible to have a central >machine that contains all usernames? It seems one user can log in to >different machines in the office, so I must provide login IDs for each >user at each of the 15 or so machines.. This is very time consuming, and >passwords need to be changed at each station. Is this the purpose of NT >server?I don't have this problem, but I recommend looking into setting up a WinNTws40 box as a password-server.>4. Does anyone have any experience with Apache and samba? It seems the >users are having problems using Composer, and 'Publishing' the documents >to the web server. I don't have all the details at this point, but I >hoped someone might know of a refernce to find more information on this >topic..I use all of them myself [Apache/Samba/Composer]. Composer has a real problem. It wants to turn extra dot into underscores. I have html files called "about.mhsc.html" and Composer wants to turn them into "about_mhsc.html". I have to delete the old file and rename the update everytime I edit an html file <Grrrr>.No, Apache has no problems reaching across an NFS mouinted file system to get its files. ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ "The FBI doesn't want to read encrypted documents, they want to read YOUR encrypted documents."
On Sunday, October 12, 1997 3:51 AM, samba@samba.anu.edu.au [SMTP:samba@samba.anu.edu.au] wrote:> Date: Sun, 12 Oct 1997 03:16:04 -0400 (EDT) > From: Dave Wreski <dave@nic.com> > To: samba list <samba@arvidsjaur.anu.edu.au> > Subject: Admin of users from NT > Message-ID: <Pine.GSO.3.95q.971012025949.12274E-100000@nic.com> > > > Hi all. I'm running 1.9.17p1 on two Linux boxes, each having three shares > available to a group of NT 3.51 and 4.0 workstation SP3/5 boxes. Also one > of the NT boxes is sharing a printer and three local shares. There is no > NT server available on the network. > > My user's have some unexpected complaints that I hoped someone could help > me with. > > 1. Three shares per machine is becomming too many to manage. The users > get confused as to which drive letter goes to which machine/share. Is > there a better way to define how the drives and shares are layed out, so > its easier from a user perspective? > > 3. Is there a way to manage the list of users that are on each machine, > rather than modifying the Linux box directly? Is it possible to have a > common place to store the list of users that will be using the shares? In > other words, the user has to log into his local machine, then use the > filemanage to connect to the share, and also specify the username that he > will be connecting as. It then prompts him for a passwd. > > How can I have the user simply log into the local NT box, and > automagically be allowed to connect to the remote linux shares, and not > have to specify a password? > > I tried working with the netlogon scripts, but I could not get it working. > Is this the proper method to define drive mappings when the user logs in? > Would I be better off creating a login script for each user on the local > machines, that defines which shares the user can connect to, and which > drive it maps to? Possibly someone could provide an example?First compile and install your SMB server using DES encryption. Then on the main SMB server (one of your Linux machines) set up a SMB password file for your users using the same username and password as the NT workstations. Then modify the smb.conf files. On the main SMB Sever put the following in this smb.conf file. [global] encrypt passwords = yes security = user On the rest of the SMB server have the following. [global] security = server password server = mainSMBservername Now when the user maps the share if he selects reconnect at logon the share will automatically reconnect when the user logs on again.> > 3. Continuing with the last question, is it possible to have a central > machine that contains all usernames? It seems one user can log in to > different machines in the office, so I must provide login IDs for each > user at each of the 15 or so machines.. This is very time consuming, and > passwords need to be changed at each station. Is this the purpose of NT > server?Yes it is one of the purposes of an NT server.> > 4. Does anyone have any experience with Apache and samba? It seems the > users are having problems using Composer, and 'Publishing' the documents > to the web server. I don't have all the details at this point, but I > hoped someone might know of a refernce to find more information on this > topic.. > > > > I'm really looking forward to any ideas you might have. > > Thanks, > Dave Wreski