Tim Holmes
2005-Feb-22 16:32 UTC
[Samba] Samba Best Practices -- Integration with Active Directory
ood Morning Everyone: This question is a bit different from the run of the mill -- HELP ME I GOT TROUBLE questions here on the list, however I am interested in getting this situation working correctly and also need to understand the basis behind the process so that I can implement it properly and extend it as necessary First off -- Some Background I am running a 150 station lan where all the workstations are Windows XP Pro SP2 -- Fully patched. The Domain Controller, Exchange Server, and Content Filter (Websense) are all Windows Server 2003 standard (updated and fully patched). The AntiVirus Server (Panda) is An XP SP2 Box. The 2 Webservers (production and development) are Fedora Core 2, as is the File Server, and Database server (MySQL). All have been fully updated with yum in the last week or so. Currently The 2 Webservers and the File server have samba set up on them. This is to facilitate file movement between them and the rest of the network. At the present time to allow access to the samba boxes I create a user account for the person in linux, then create a samba account, and feed it their windows password using the system-config-samba program. Once this is done, they can access the shares without any need for typing usernames and passwords, which is great, but to my way of thinking that is a lot of steps to go through. My question is as follows: Is this the proper / best way to have the integration set up, or is there a better way. From where I sit, and in a perfect world, when a user tried to access a samba share, the samba server would query the domain controller for authentication and process it, similar to accessing a share on one of the windows boxes. I would like to move all my user accounts home directories to the file server, but I don't want to take the time to input all the usernames/passwords, and then have the problem that every time someone changes their windows password, they loose their samba access. If you have suggestions for reading, or ideas or other helpful hints, I would be greatly appreciative. The resources that I have read on the net are at best confusing. Also I am fairly new to Linux, and although I am learning, it is going to take me a while to get all the ins and outs of the system nailed down, so I may need some procedural help to get things working smoothly Thank you so much for your time and assistance Tim Holmes IT Manager / Webmaster Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14
Christian Merrill
2005-Feb-22 16:37 UTC
[Samba] Samba Best Practices -- Integration with Active Directory
Tim Holmes wrote:>ood Morning Everyone: > >This question is a bit different from the run of the mill -- HELP ME I >GOT TROUBLE questions here on the list, however I am interested in >getting this situation working correctly and also need to understand the >basis behind the process so that I can implement it properly and extend >it as necessary > >First off -- Some Background > >I am running a 150 station lan where all the workstations are Windows XP >Pro SP2 -- Fully patched. The Domain Controller, Exchange Server, and >Content Filter (Websense) are all Windows Server 2003 standard (updated >and fully patched). The AntiVirus Server (Panda) is An XP SP2 Box. The >2 Webservers (production and development) are Fedora Core 2, as is the >File Server, and Database server (MySQL). All have been fully updated >with yum in the last week or so. > >Currently The 2 Webservers and the File server have samba set up on >them. This is to facilitate file movement between them and the rest of >the network. At the present time to allow access to the samba boxes I >create a user account for the person in linux, then create a samba >account, and feed it their windows password using the >system-config-samba program. Once this is done, they can access the >shares without any need for typing usernames and passwords, which is >great, but to my way of thinking that is a lot of steps to go through. > >My question is as follows: > >Is this the proper / best way to have the integration set up, or is >there a better way. From where I sit, and in a perfect world, when a >user tried to access a samba share, the samba server would query the >domain controller for authentication and process it, similar to >accessing a share on one of the windows boxes. I would like to move all >my user accounts home directories to the file server, but I don't want >to take the time to input all the usernames/passwords, and then have the >problem that every time someone changes their windows password, they >loose their samba access. > >If you have suggestions for reading, or ideas or other helpful hints, I >would be greatly appreciative. The resources that I have read on the >net are at best confusing. Also I am fairly new to Linux, and although >I am learning, it is going to take me a while to get all the ins and >outs of the system nailed down, so I may need some procedural help to >get things working smoothly > >Thank you so much for your time and assistance > > >Tim Holmes > >IT Manager / Webmaster >Medina Christian Academy >A Higher Standard... > >Jeremiah 33:3 >Jeremiah 29:11 >Esther 4:14 > > > >If your DC is running in Mixed Mode then you should be able to rather easily change your samba security to domain (security = domain), and specify your password server (password server = x.x.x.x). At this point you should be able to create matching linux system accounts as placeholders for setting permissions etc., and when users from windows clients attempt to access Samba resources the Samba server will query the DC for authentication. You can get more advanced in regard to using Winbind, but this is probably the simplest approach. If your DC is running in Native Mode then you will need to involve kerberos which is a little bit more painful. The samba how-to's have very good directions for all of this. Christian
Mark Irving
2005-Feb-22 17:03 UTC
[Samba] Samba Best Practices -- Integration with Active Directory
Way too much trouble maintaining two sets of passwords. I have a similar setup and use Samba in ADS mode with winbind. This way I don't have to create new accounts on the fileserver nor have to keep up with any kind of password synching. More secure too since you don't have passwords floating around and also because one tends to have a never or rarely changing password policy since it is so much trouble. About the only thing that I have to fiddle with some is the permissions on the file server. Also I am curious why you are running Websense on a W2K3 server. IMO Squid and Dansguardian do a much better job of filtering, you don't have to have a beefy machine (mine is a P3-800Mhz/512M RAM), and you don't have to pay the yearly fees either. It also give you the ability to quite easily have a backup server on another machine in case your main one is down. Mark Irving> -----Original Message----- > From: samba-bounces+marki=cumcmemphis.org@lists.samba.org > [mailto:samba-bounces+marki=cumcmemphis.org@lists.samba.org] > On Behalf Of Tim Holmes > Sent: Tuesday, February 22, 2005 10:32 AM > To: samba@lists.samba.org > Subject: [Samba] Samba Best Practices -- Integration with > Active Directory > > ood Morning Everyone: > > This question is a bit different from the run of the mill -- > HELP ME I GOT TROUBLE questions here on the list, however I > am interested in getting this situation working correctly and > also need to understand the basis behind the process so that > I can implement it properly and extend it as necessary > > First off -- Some Background > > I am running a 150 station lan where all the workstations are > Windows XP Pro SP2 -- Fully patched. The Domain Controller, > Exchange Server, and Content Filter (Websense) are all > Windows Server 2003 standard (updated and fully patched). > The AntiVirus Server (Panda) is An XP SP2 Box. The > 2 Webservers (production and development) are Fedora Core 2, > as is the File Server, and Database server (MySQL). All have > been fully updated with yum in the last week or so. > > Currently The 2 Webservers and the File server have samba set > up on them. This is to facilitate file movement between them > and the rest of the network. At the present time to allow > access to the samba boxes I create a user account for the > person in linux, then create a samba account, and feed it > their windows password using the system-config-samba program. > Once this is done, they can access the shares without any > need for typing usernames and passwords, which is great, but > to my way of thinking that is a lot of steps to go through. > > My question is as follows: > > Is this the proper / best way to have the integration set up, > or is there a better way. From where I sit, and in a perfect > world, when a user tried to access a samba share, the samba > server would query the domain controller for authentication > and process it, similar to accessing a share on one of the > windows boxes. I would like to move all my user accounts > home directories to the file server, but I don't want to take > the time to input all the usernames/passwords, and then have > the problem that every time someone changes their windows > password, they loose their samba access. > > If you have suggestions for reading, or ideas or other > helpful hints, I would be greatly appreciative. The > resources that I have read on the net are at best confusing. > Also I am fairly new to Linux, and although I am learning, it > is going to take me a while to get all the ins and outs of > the system nailed down, so I may need some procedural help to > get things working smoothly > > Thank you so much for your time and assistance > > > Tim Holmes > > IT Manager / Webmaster > Medina Christian Academy > A Higher Standard... > > Jeremiah 33:3 > Jeremiah 29:11 > Esther 4:14 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Tim Evans
2005-Feb-22 18:30 UTC
[Samba] Samba Best Practices -- Integration with Active Directory
On Tue, 22 Feb 2005 11:35:32 -0500, Christian Merrill wrote> If your DC is running in Mixed Mode then you should be able to > rather easily change your samba security to domain (security = > domain), and specify your password server (password server = x.x.x.x)Does this situation mean samba need/should not be configured to include ADS/Kerberos/winbindd support? -- Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court tkevans@tkevans.com | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ |
Denis Vlasenko
2005-Feb-23 11:47 UTC
[Samba] Samba Best Practices -- Integration with Active Directory
On Tuesday 22 February 2005 18:31, Tim Holmes wrote: In my self-compiled-and-installed Samba 3.0.7 I have tons of docs under SWAT, in particular: swat/help/Samba-Guide/migration.html which may be what you want to read first. -- vda