Jorge Silva (Jorge Gomes da Silva)
1997-Dec-04 15:03 UTC
/etc/passwd - Domain Controller Synchronization
Hello, I don't know much about Samba so forgive me if this is a stupid question. I'm currently working on a project for a client that relies on Unix machines for their main applications. Access to Unix applications is done through terminal emulation (vt 100) on Windows PCs. We are implementing a Windows NT network for file an print sharing and to support SMS. One of the goals of the project is to achieve an authentication scheme where username and password are exactly the same on Unix and NT. In this kind of solution if the user changes it's password in NT it will also change in Unix (/etc/passwd). We would like to know if this kind of synchcronization is possible with Samba (we only need to reflect changes made on NT to Unix, we don't need it to work from Unix to NT). If you think you can help me please email me your answers directly as I'm not a member of this mailing list. Thanks in advance. Jorge. (Microsoft - Portugal)
Hello Jorge, Now this is a switch. I kinda like this - "Microsoft" asking for help. :-) Seriously though, this is something I have been working on - consistent authentication schemes between the various platforms. It is not reliant on SAMBA as per se but what it is reliant on is the SMBlib libraries that Richard Sharpe wrote some time ago. Ultimately, where I think we and heading is towards Kerberos but for now what I have been doing is changing the various Unix daemons to support authentication by not only the native UNIX schemes (/etc/passwd, NIS, etc) but also by a NT server and domain controller (it will probably authenticate to any type of server really - Win 95 included but I haven't tried that). To date, what I currently have is mail daemons - pop 2, pop 3 and imap daemons for mail which will attempt to authenticate by querying a NT server or a NT domain controller (note that there still has to be a UNIX account to map to but it can have a non-matchable password - usually a "*" in /etc/passwd or /etc/shadow which prevents normal logins to the account). This means, when a user changes their "domain" logon password, their POP and IMAP passwords also "automatically" change as well. Note that this is just a "hack" made to the 'Washington University imap, pop 2 and pop 3' but isn't released by them so if you go asking for their help on changes that I made to their stuff, they will probably tell you to "bugger off". What I currently have in the works is a replacement 'login' which actually handles the user login and a 'ftp' daemon which will do likewise but they are not finished (same rules again - you need a UNIX account to map to but that is about it). ... acutally to be honest the 'login' was finished some time ago but is now being re-written (more correctly tossed - it is now based on the FreeBSD 'login') as the way it was written before was pretty much from scratch, horrible to maintain and generally was a pain in the backside to use. I am not working on the 'login' - that is the job for my partner in crime. To date, this stuff has been develop on FreeBSD 2.2.2 with the POP and IMAP daemons being currently ported to HP-UX 10.01 and SGI IRIX 5.3 and IRIX 6.2. The 'login' and 'ftpd' replacements will be ported likewise. ... as to completion dates ... Right now I am totally inundated with other work (budgets and the like) so I am not quite sure when I can return to finishing this stuff - probably not within a few weeks anyway so if you want something from me before then I am not sure if I can help you. Likewise, if you are trying to use a platform other than these I am not sure if I can help you. Brendon
On Fri, 5 Dec 1997, Jorge Silva (Jorge Gomes da Silva) wrote:> I'm currently working on a project for a client that relies on Unix machines > for their main applications. Access to Unix applications is done through > terminal emulation (vt 100) on Windows PCs. > > We are implementing a Windows NT network for file an print sharing and to > support SMS. One of the goals of the project is to achieve an authentication > scheme where username and password are exactly the same on Unix and NT.You will achieve your objective most easily by ditching Windows NT in favour of Linux+samba. It does file and print sharing very well. You will then only have one password system to worry about. Charlie Brady - Telstra |internet: cbrady@ind.tansu.com.au Network Products |Snail : Locked Bag 6581, GPO Sydney 2001 Australia Platform Technologies |Physical : Lvl 2, 175 Liverpool St, Sydney 2000 IN-Sub Unit - Sydney | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301
Luke Kenneth Casson Leighton
1997-Dec-05 14:12 UTC
/etc/passwd - Domain Controller Synchronization
On Fri, 5 Dec 1997, Jorge Silva (Jorge Gomes da Silva) wrote:> Hello, > > I don't know much about Samba so forgive me if this is a stupid question. > > I'm currently working on a project for a client that relies on Unix machines > for their main applications. Access to Unix applications is done through > terminal emulation (vt 100) on Windows PCs. > > We are implementing a Windows NT network for file an print sharing and to > support SMS. One of the goals of the project is to achieve an authentication > scheme where username and password are exactly the same on Unix and NT. In > this kind of solution if the user changes it's password in NT it will also > change in Unix (/etc/passwd). We would like to know if this kind of > synchcronization is possible with Samba (we only need to reflect changes > made on NT to Unix, we don't need it to work from Unix to NT). > > If you think you can help me please email me your answers directly as I'm > not a member of this mailing list.hi jorge, i'm replying to the list as well, for their benefit. there are two ways to do this. 1) on NT 4.0, use "security = server" in samba: read docs/security_level.txt 2) if possible, install PAM on the unix clients, and install pam_smb 0.6. 3) write a script that calls smbpasswd and passwd (or a shell script or c program that updates /etc/passwd and smbpasswd directly). call the script as the default telnet login to the unix password server. luke <a href="mailto:lkcl@switchboard.net" > Luke Kenneth Casson Leighton </a> <a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and Support </a>
Jorge Silva (Jorge Gomes da Silva)
1997-Dec-05 17:44 UTC
/etc/passwd - Domain Controller Synchronization
> -----Original Message----- > From: Charlie Brady [SMTP:cbrady@ind.tansu.com.au] > Sent: Friday, December 05, 1997 1:23 AM > To: Jorge Silva (Jorge Gomes da Silva) > Cc: Multiple recipients of list > Subject: Re: /etc/passwd - Domain Controller Synchronization > > > On Fri, 5 Dec 1997, Jorge Silva (Jorge Gomes da Silva) wrote: > > > I'm currently working on a project for a client that relies on Unix > machines > > for their main applications. Access to Unix applications is done through > > terminal emulation (vt 100) on Windows PCs. > > > > We are implementing a Windows NT network for file an print sharing and > to > > support SMS. One of the goals of the project is to achieve an > authentication > > scheme where username and password are exactly the same on Unix and NT. > > You will achieve your objective most easily by ditching Windows NT in > favour of Linux+samba. It does file and print sharing very well. You will > then only have one password system to worry about.[Jorge] Since this is a Microsoft project, as you may imagine, that is not an alternative. Would Red Hat say to it's customers "Linux ? No, do it with NT, it does file and print sharing very well" ?> Charlie Brady - Telstra |internet: cbrady@ind.tansu.com.au > Network Products |Snail : Locked Bag 6581, GPO Sydney 2001 > Australia > Platform Technologies |Physical : Lvl 2, 175 Liverpool St, Sydney 2000 > IN-Sub Unit - Sydney | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301
Jorge Silva (Jorge Gomes da Silva)
1997-Dec-05 18:02 UTC
/etc/passwd - Domain Controller Synchronization
> -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@switchboard.net] > Sent: Friday, December 05, 1997 2:12 PM > To: Jorge Silva (Jorge Gomes da Silva) > Cc: Multiple recipients of list > Subject: Re: /etc/passwd - Domain Controller Synchronization > > On Fri, 5 Dec 1997, Jorge Silva (Jorge Gomes da Silva) wrote: >[...Cut...]> > scheme where username and password are exactly the same on Unix and NT. > In > > this kind of solution if the user changes it's password in NT it will > also > > change in Unix (/etc/passwd). We would like to know if this kind of > > synchcronization is possible with Samba (we only need to reflect changes > > made on NT to Unix, we don't need it to work from Unix to NT). > > > > If you think you can help me please email me your answers directly as > I'm > > not a member of this mailing list. > > hi jorge, > > i'm replying to the list as well, for their benefit. > > there are two ways to do this.[Jorge] Three ways you mean :-)> 1) on NT 4.0, use "security = server" in samba: read > docs/security_level.txt[Jorge] I'm going to check this.> 2) if possible, install PAM on the unix clients, and install pam_smb 0.6.[Jorge] Last night I was reading an article about PAM in Linux Journal (December issue) and that seemed to be an excellent solution for the problem. However I don't know if HP-UX (which is the Unix the customer is using) supports PAM (or a similar approach) so I'll have to call HP and ask them.> 3) write a script that calls smbpasswd and passwd (or a shell > script or c program that updates /etc/passwd and smbpasswd directly). > call the script as the default telnet login to the unix password server.[Jorge] I have some experience with C and Shell programming in Unix but I don't think I know how to do this. Thanks for your help.> luke > > > <a href="mailto:lkcl@switchboard.net" > Luke Kenneth Casson Leighton > </a> > <a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and Support > </a>
Jorge Silva (Jorge Gomes da Silva)
1997-Dec-05 18:36 UTC
/etc/passwd - Domain Controller Synchronization
> -----Original Message----- > From: Brendon Meyer [SMTP:Brendon_Meyer@fmi.com] > Sent: Thursday, December 04, 1997 10:43 PM > To: Jorge Silva (Jorge Gomes da Silva); samba@samba.anu.edu.au > Subject: /etc/passwd - Domain Controller Synchronization > > Hello Jorge, > > Now this is a switch. > > I kinda like this - "Microsoft" asking for help. > :-)[Jorge] Well, it's true that I work for Microsoft but I wouldn't say I'm "Microsoft" (I should have included some kind of disclaimer. I hope I won't get fired for this ). ;-)> Seriously though, this is something I have been > working on - consistent authentication schemes > between the various platforms. It is not reliant > on SAMBA as per se but what it is reliant on is > the SMBlib libraries that Richard Sharpe wrote > some time ago. > > Ultimately, where I think we and heading is > towards Kerberos but for now what I have been > doing is changing the various Unix daemons to > support authentication by not only the native UNIX > schemes (/etc/passwd, NIS, etc) but also by a NT > server and domain controller (it will probably > authenticate to any type of server really - Win 95 > included but I haven't tried that).[Jorge] Isn't this a similar to the use of PAMs ?> To date, what I currently have is mail daemons - > pop 2, pop 3 and imap daemons for mail which will > attempt to authenticate by querying a NT server or > a NT domain controller (note that there still has > to be a UNIX account to map to but it can have a > non-matchable password - usually a "*" in > /etc/passwd or /etc/shadow which prevents normal > logins to the account). > > This means, when a user changes their "domain" > logon password, their POP and IMAP passwords also > "automatically" change as well. > > Note that this is just a "hack" made to the > 'Washington University imap, pop 2 and pop 3' but > isn't released by them so if you go asking for > their help on changes that I made to their stuff, > they will probably tell you to "bugger off". > > What I currently have in the works is a > replacement 'login' which actually handles the > user login and a 'ftp' daemon which will do > likewise but they are not finished (same rules > again - you need a UNIX account to map to but that > is about it). > > ... acutally to be honest the 'login' was finished > some time ago but is now being re-written (more > correctly tossed - it is now based on the FreeBSD > 'login') as the way it was written before was > pretty much from scratch, horrible to maintain and > generally was a pain in the backside to use. I am > not working on the 'login' - that is the job for > my partner in crime. > > To date, this stuff has been develop on FreeBSD > 2.2.2 with the POP and IMAP daemons being > currently ported to HP-UX 10.01 and SGI IRIX 5.3 > and IRIX 6.2. The 'login' and 'ftpd' replacements > will be ported likewise.[Jorge] The login deamon for HP-UX could be useful for this project (the customer is using HP Unix) but for now it's just an idea. We also are investigating other sources for a solution.> ... as to completion dates ... Right now I am > totally inundated with other work (budgets and the > like) so I am not quite sure when I can return to > finishing this stuff - probably not within a few > weeks anyway so if you want something from me > before then I am not sure if I can help you. > > Likewise, if you are trying to use a platform > other than these I am not sure if I can help you. >[Jorge] OK. Thank you very much for your answer.> > Brendon >
Luke Kenneth Casson Leighton
1997-Dec-06 15:36 UTC
/etc/passwd - Domain Controller Synchronization
> there are two ways to do this.> 1) > 2) > 3)... is it optional for programmers to be able to count?
Jorge Silva (Jorge Gomes da Silva)
1997-Dec-09 17:03 UTC
/etc/passwd - Domain Controller Synchronization
Hello, I'm really sorry for sending this again but I was cleaning up my mailbox and I forgot that all your answers regarding this subject ("/etc/passwd - Domain Controller Synchronization") were still in the Inbox. If all the people who sent me answers could please forward them again I'd be very thankful, not only because they are technically very relevant but also because I didn't have the time to answer them all. Thanks again for your help. Jorge.
Thomas.Hansen.tmh./Copenhagen@manbw.dk
1997-Dec-10 12:24 UTC
/etc/passwd - Domain Controller Synchronization
HI all. I know this has been discussed quite some time, my I am still a bit confused: If you have a encrypted passwd on your unix box, would it be possible to take the "encrypted text" and use it as input for a windows program, which would then update the PDC's regestry. If yes, does anyone know of a "commecial" util. If not, is it then because the encryption method isn't the same? Best regards Thomas Hansen MAN B&W Diesel A/S
On 04-Dec-97 Jorge Silva (Jorge Gomes da Silva) wrote:>Hello, > >I don't know much about Samba so forgive me if this is a stupid question. > >I'm currently working on a project for a client that relies on Unix machines >for their main applications. Access to Unix applications is done through >terminal emulation (vt 100) on Windows PCs. > >We are implementing a Windows NT network for file an print sharing and to >support SMS. One of the goals of the project is to achieve an authentication >scheme where username and password are exactly the same on Unix and NT. In >this kind of solution if the user changes it's password in NT it will also >change in Unix (/etc/passwd). We would like to know if this kind of >synchcronization is possible with Samba (we only need to reflect changes >made on NT to Unix, we don't need it to work from Unix to NT). >Two ways I can think of off hand: - Use cygnus' Kerbnet and Kerberos authentication on HP/UX, and set up a (NT or UNIX) bastion with authentication info there, or - Use NISGINA and do all authentication by NIS. This would be a bit of a hack however, and I imagine SMS might barf at this. Pat Caldon | patc@acl.archaeology.usyd.edu.au Systems Administrator, Archaeological Computing Laboratory, Archaeology, Prehistoric and Historical, University of Sydney
Thomas.Hansen.tmh./Copenhagen@manbw.dk
1997-Dec-23 14:33 UTC
/etc/passwd - Domain Controller Synchronization
On Wed, 10 Dec 1997 Thomas.Hansen.tmh./Copenhagen@manbw.dk wrote: > HI all. > > I know this has been discussed quite some time, my I am still a bit > confused: > > If you have a encrypted passwd on your unix box, would it be possible to > take the "encrypted text" and use it as input for a windows program, > which would then update the PDC's regestry. If yes, does anyone know of > a "commecial" util. >Luke Wrote: >yes. there is a utility with the NT server distribution which is >equivalent to the pwdump program. i believe it's in the netutil >directory. >luke I cannot find what you are talking about: If you have the util, just email it to me, since I have a microsoft select deal. Has anyone implementet a password syncronize, where you take your /etc/passwd and use it for input to the PDC, using some kind of pc program? Happy regards Thomas