Hi folks! We are currently using 1.9.16p11 on a DG/UX Intel Aviion machine. We have about 15 client machines which are a mix of Windows 95 and NT4 WS. Recently we have added an NT server for use by the development staff. We want to move to version 2.x and centralise user authentication. I have read most of the documentation associated with v2.x, but I cannot decide what is the best setup for us. Maybe someone can give me some opinions or at least some pros and cons. At the moment, the Samba server has all the users defined as Unix users. Everyone also connects to the Unix host via telnet, to access text-based COBOL applications on that machine. However, in this environment, it is a pain to change your password, because we have to do it on the client machine, the Unix host and optionally on the NT server (not running as PDC). As a result, some people have not changed their passwords for several years!! Now the best solution seems to be to run the Samba server as a PDC and change the clients to "Domain" clients. Then, if the NT server is set up as BDC, everything would be sweet. But everyone seems to be saying that the "security=domain" is *experimental* and should be avoided. Another solution would be to use the NT server as a PDC and have the Samba machine set up as "security=server". However, I would prefer to keep the users setup on the Unix host, because it regularily stays up for months at a time without crashing or rebooting (wish we could say the same for the NT machine!). Also, how does password encryption fit into this? Can this be done transparently to the user without on-going maintenance? Again, the docs don't seem to be very clear on this. Anyway, any comments are welcome. If I get enough I might write up some sort of summary that could get added to the docs. Thanks in advance. Cheers, Duncan Kinnear, McCarthy and Associates, Email: duncan@McCarthy.co.nz PO Box 764, McLean Towers, Phone: +64 6 834 3360 Shakespeare Road, Napier, New Zealand. Fax: +64 6 834 3369 ------------------------------------------------------------------------------- Providing Integrated Software to the Meat Processing Industry for over 10 years
On 19 Mar 99, "Duncan Kinnear" <duncanwantsnomorespam@mccarthy.co.nz> had questions about What is best setup for us? [snip]> Now the best solution seems to be to run the Samba server as a PDC > and change the clients to "Domain" clients... > > Another solution would be to use the NT server as a PDC and have the Samba > machine set up as "security=server"...The latter would probably be more stable than the former (although the same accounts would have to exist on both machines for each user).> Also, how does password encryption fit into this? Can this be done > transparently to the user without on-going maintenance? Again, the docs > don't seem to be very clear on this.>From my experience, encrypted passwords should fit in just fine (doDG machines use shadow passwords?). If you're running with plain text passwords now, just enable the update encrypted option in smb.conf (don't forget to create smbpasswd) to populate the smbpasswd file as each user logs in. And you'll need to delete (or disable) the plaintext reg keys. Or, you could just enable encrypted passwords and force the users to change them ;-) Sorry, I've only run security=user. Even doing domain logons (with security=user) you would still have to maintain accounts on both machines (and users would need to change 2 passwords to stay in sync). The unix passwd sync option will take care of keeping /etc/passwd and smbpasswd in sync, but only the experimental config (security=domain) will do what you want (assuming a BDC will authenticate to the samba/PDC). Steve ************************************************************* Steve Arnold sarnold@earthling.net http://www.rain.org/~sarnold This message composed of 100% recycled electrons. You should also recycle yourself. Become an organ donor (8-)@
Duncan Kinnear wrote:> At the moment, the Samba server has all the users defined as Unix users. > Everyone also connects to the Unix host via telnet, to access text-based > COBOL applications on that machine. However, in this environment, it is > a pain to change your password,For Windows 3.x and 9x machines, the password change program will happily talk to samba, and update the Unix /etc/passwd file via the "passwd program" and "passwd chat" options of the smb.conf file. Thta's really because the Windows machines are only keeping local copies of your password, and know that they need to sync with a master server somewhere. I haven't tried it with NT myself: perhaps someone here will tell us what you have to doi to make an NT machine running as a client of a SMB fielserver update it's password with it's "master".> Now the best solution seems to be to run the Samba server as a PDC > and change the clients to "Domain" clients. Then, if the NT server is set > up as BDC, everything would be sweet. But everyone seems to be > saying that the "security=domain" is *experimental* and should be > avoided.I don't run it as a matter of choice, not because it doesn't work. I use security=server because I'm a Unix bigot! --dave -- David Collier-Brown, | Always do right. This will gratify some people 185 Ellerslie Ave., | and astonish the rest. -- Mark Twain Willowdale, Ontario | http://java.science.yorku.ca/~davecb Work: (905) 477-0437 Home: (416) 223-8968 Email: davecb@canada.sun.com