samba - Feb 2005 - Samba Best Practices -- Integration with Active Directory

ood Morning Everyone:
 
This question is a bit different from the run of the mill -- HELP ME I
GOT TROUBLE questions here on the list, however I am interested in
getting this situation working correctly and also need to understand the
basis behind the process so that I can implement it properly and extend
it as necessary
 
First off -- Some Background
 
I am running a 150 station lan where all the workstations are Windows XP
Pro SP2 -- Fully patched. The Domain Controller, Exchange Server, and
Content Filter (Websense) are all Windows Server 2003 standard (updated
and fully patched).  The AntiVirus Server (Panda) is An XP SP2 Box.  The
2 Webservers (production and development) are Fedora Core 2, as is the
File Server, and Database server (MySQL).  All have been fully updated
with yum in the last week or so.
 
Currently The 2 Webservers and the File server have samba set up on
them.  This is to facilitate file movement between them and the rest of
the network.  At the present time to allow access to the samba boxes I
create a user account for the person in linux, then create a samba
account, and feed it their windows password using the
system-config-samba program.  Once this is done, they can access the
shares without any need for typing usernames and passwords, which is
great, but to my way of thinking that is a lot of steps to go through. 
 
My question is as follows:
 
Is this the proper / best way to have the integration set up, or is
there a better way.  From where I sit, and in a perfect world, when a
user tried to access a samba share, the samba server would query the
domain controller for authentication and process it, similar to
accessing a share on one of the windows boxes.  I would like to move all
my user accounts home directories to the file server, but I don't want
to take the time to input all the usernames/passwords, and then have the
problem that every time someone changes their windows password, they
loose their samba access.
 
If you have suggestions for reading, or ideas or other helpful hints, I
would be greatly appreciative.  The resources that I have read on the
net are at best confusing.  Also I am fairly new to Linux, and although
I am learning, it is going to take me a while to get all the ins and
outs of the system nailed down, so I may need some procedural help to
get things working smoothly
 
Thank you so much for your time and assistance
 
 
Tim Holmes
 
IT Manager / Webmaster
Medina Christian Academy
A Higher Standard...
 
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14

Tim Holmes wrote:
>ood Morning Everyone:
> 
>This question is a bit different from the run of the mill -- HELP ME I
>GOT TROUBLE questions here on the list, however I am interested in
>getting this situation working correctly and also need to understand the
>basis behind the process so that I can implement it properly and extend
>it as necessary
> 
>First off -- Some Background
> 
>I am running a 150 station lan where all the workstations are Windows XP
>Pro SP2 -- Fully patched. The Domain Controller, Exchange Server, and
>Content Filter (Websense) are all Windows Server 2003 standard (updated
>and fully patched).  The AntiVirus Server (Panda) is An XP SP2 Box.  The
>2 Webservers (production and development) are Fedora Core 2, as is the
>File Server, and Database server (MySQL).  All have been fully updated
>with yum in the last week or so.
> 
>Currently The 2 Webservers and the File server have samba set up on
>them.  This is to facilitate file movement between them and the rest of
>the network.  At the present time to allow access to the samba boxes I
>create a user account for the person in linux, then create a samba
>account, and feed it their windows password using the
>system-config-samba program.  Once this is done, they can access the
>shares without any need for typing usernames and passwords, which is
>great, but to my way of thinking that is a lot of steps to go through. 
> 
>My question is as follows:
> 
>Is this the proper / best way to have the integration set up, or is
>there a better way.  From where I sit, and in a perfect world, when a
>user tried to access a samba share, the samba server would query the
>domain controller for authentication and process it, similar to
>accessing a share on one of the windows boxes.  I would like to move all
>my user accounts home directories to the file server, but I don't want
>to take the time to input all the usernames/passwords, and then have the
>problem that every time someone changes their windows password, they
>loose their samba access.
> 
>If you have suggestions for reading, or ideas or other helpful hints, I
>would be greatly appreciative.  The resources that I have read on the
>net are at best confusing.  Also I am fairly new to Linux, and although
>I am learning, it is going to take me a while to get all the ins and
>outs of the system nailed down, so I may need some procedural help to
>get things working smoothly
> 
>Thank you so much for your time and assistance
> 
> 
>Tim Holmes
> 
>IT Manager / Webmaster
>Medina Christian Academy
>A Higher Standard...
> 
>Jeremiah 33:3
>Jeremiah 29:11
>Esther 4:14
> 
> 
>  
>
If your DC is running in Mixed Mode then you should be able to rather 
easily change your samba security to domain (security = domain), and 
specify your password server (password server = x.x.x.x).  At this point 
you should be able to create matching linux system accounts as 
placeholders for setting permissions etc., and when users from windows 
clients attempt to access Samba resources the Samba server will query 
the DC for authentication.  You can get more advanced in regard to using 
Winbind, but this is probably the simplest approach.

If your DC is running in Native Mode then you will need to involve 
kerberos which is a little bit more painful.  The samba how-to's have 
very good directions for all of this.

Christian

Way too much trouble maintaining two sets of passwords. I have a
similar setup and use Samba in ADS mode with winbind. This way I don't
have to create new accounts on the fileserver nor have to keep up with
any kind of password synching. More secure too since you don't have
passwords floating around and also because one tends to have a never or
rarely changing password policy since it is so much trouble. About the
only thing that I have to fiddle with some is the permissions on the
file server.

Also I am curious why you are running Websense on a W2K3 server. IMO
Squid and Dansguardian do a much better job of filtering, you don't have
to have a beefy machine (mine is a P3-800Mhz/512M RAM), and you don't
have to pay the yearly fees either. It also give you the ability to
quite easily have a backup server on another machine in case your main
one is down.

Mark Irving
> -----Original Message-----
> From: samba-bounces+marki=cumcmemphis.org@lists.samba.org 
> [mailto:samba-bounces+marki=cumcmemphis.org@lists.samba.org] 
> On Behalf Of Tim Holmes
> Sent: Tuesday, February 22, 2005 10:32 AM
> To: samba@lists.samba.org
> Subject: [Samba] Samba Best Practices -- Integration with 
> Active Directory
> 
> ood Morning Everyone:
>  
> This question is a bit different from the run of the mill -- 
> HELP ME I GOT TROUBLE questions here on the list, however I 
> am interested in getting this situation working correctly and 
> also need to understand the basis behind the process so that 
> I can implement it properly and extend it as necessary
>  
> First off -- Some Background
>  
> I am running a 150 station lan where all the workstations are 
> Windows XP Pro SP2 -- Fully patched. The Domain Controller, 
> Exchange Server, and Content Filter (Websense) are all 
> Windows Server 2003 standard (updated and fully patched).  
> The AntiVirus Server (Panda) is An XP SP2 Box.  The
> 2 Webservers (production and development) are Fedora Core 2, 
> as is the File Server, and Database server (MySQL).  All have 
> been fully updated with yum in the last week or so.
>  
> Currently The 2 Webservers and the File server have samba set 
> up on them.  This is to facilitate file movement between them 
> and the rest of the network.  At the present time to allow 
> access to the samba boxes I create a user account for the 
> person in linux, then create a samba account, and feed it 
> their windows password using the system-config-samba program. 
>  Once this is done, they can access the shares without any 
> need for typing usernames and passwords, which is great, but 
> to my way of thinking that is a lot of steps to go through. 
>  
> My question is as follows:
>  
> Is this the proper / best way to have the integration set up, 
> or is there a better way.  From where I sit, and in a perfect 
> world, when a user tried to access a samba share, the samba 
> server would query the domain controller for authentication 
> and process it, similar to accessing a share on one of the 
> windows boxes.  I would like to move all my user accounts 
> home directories to the file server, but I don't want to take 
> the time to input all the usernames/passwords, and then have 
> the problem that every time someone changes their windows 
> password, they loose their samba access.
>  
> If you have suggestions for reading, or ideas or other 
> helpful hints, I would be greatly appreciative.  The 
> resources that I have read on the net are at best confusing.  
> Also I am fairly new to Linux, and although I am learning, it 
> is going to take me a while to get all the ins and outs of 
> the system nailed down, so I may need some procedural help to 
> get things working smoothly
>  
> Thank you so much for your time and assistance
>  
>  
> Tim Holmes
>  
> IT Manager / Webmaster
> Medina Christian Academy
> A Higher Standard...
>  
> Jeremiah 33:3
> Jeremiah 29:11
> Esther 4:14
>  
>  
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

On Tue, 22 Feb 2005 11:35:32 -0500, Christian Merrill wrote
> If your DC is running in Mixed Mode then you should be able to 
> rather easily change your samba security to domain (security = 
> domain), and specify your password server (password server = x.x.x.x)
Does this situation mean samba need/should not be configured to include
ADS/Kerberos/winbindd support?

--
Tim Evans, TKEvans.com, Inc.    |    5 Chestnut Court
tkevans@tkevans.com             |    Owings Mills, MD 21117
http://www.tkevans.com/         |    443-394-3864
http://www.come-here.com/News/  |

On Tuesday 22 February 2005 18:31, Tim Holmes wrote:

In my self-compiled-and-installed Samba 3.0.7 I have
tons of docs under SWAT, in particular:

swat/help/Samba-Guide/migration.html

which may be what you want to read first.
--
vda