We have a Windows 2000 server with Terminal Services. It is an Active Directory master server for a microscopic network comprising itself and one Windows 2000 Workstation client. It is part of a network consisting of Unix machines: several Solaris 8 systems, a handful of Linux boxes, and a Mac OS X workstation. User authentication and other login information on this network is provided by NIS running on Solaris - but see below. Some of the Unix boxes are running Samba 3 to share files to Windows workstations. The services the W2K server provides are: file sharing to Windows workstations (these live in a different Active Directory domain); Windows applications for Unix users via Terminal Services and rdesktop; and authentication for the Samba servers. User NIS password changes are reflected from the Unix systems to W2K using Microsoft's services for Unix (in particular, MS provides a PAM module that sends password changes to the W2K server), so using W2K for authentication allows users to use their NIS passwords when connecting to Samba, rather than some Samba-only password. Our goal in life is to get rid of the W2K system. We don't want to be in the business of W2K server sysadmin, and the box running it is old and takes up a lot of space and energy. This would mean moving its files to a new Samba server. Is there a straightforward way to get the new server, as well as the existing ones, to authenticate in such a way that its passwords can be identical with the NIS/Unix passwords? Does this require some kind of Kerberos/LDAP infrastructure we do not now use? How would this be set up. I have read several documents, but it seems to me that: 1. Samba can authenticate with PAM, but this uses cleartext passwords. 2. Samba can authenticate from its own LDAP or file password database, but there is no obvious way to keep this synchronized with Unix passwords. 3. We could set up a Kerberos system, but I do not see any way of making Samba refer to Kerberos for password authentication. Any suggestions, please?
Michael Urban ?rta:>We have a Windows 2000 server with Terminal Services. It is an Active >Directory master server for a microscopic network comprising itself and >one Windows 2000 Workstation client. It is part of a network >consisting of Unix machines: several Solaris 8 systems, a handful of >Linux boxes, and a Mac OS X workstation. User authentication and other >login information on this network is provided by NIS running on Solaris >- but see below. Some of the Unix boxes are running Samba 3 to share >files to Windows workstations. > >The services the W2K server provides are: file sharing to Windows >workstations (these live in a different Active Directory domain); >Windows applications for Unix users via Terminal Services and rdesktop; >and authentication for the Samba servers. User NIS password changes >are reflected from the Unix systems to W2K using Microsoft's services >for Unix (in particular, MS provides a PAM module that sends password >changes to the W2K server), so using W2K for authentication allows >users to use their NIS passwords when connecting to Samba, rather than >some Samba-only password. > >Our goal in life is to get rid of the W2K system. We don't want to be >in the business of W2K server sysadmin, and the box running it is old >and takes up a lot of space and energy. This would mean moving its >files to a new Samba server. > >Is there a straightforward way to get the new server, as well as the >existing ones, to authenticate in such a way that its passwords >can be identical with the NIS/Unix passwords? Does this require >some kind of Kerberos/LDAP infrastructure we do not now use? How >would this be set up. I have read several documents, but it seems to >me that: > >1. Samba can authenticate with PAM, but this uses cleartext passwords. >2. Samba can authenticate from its own LDAP or file password database, > but there is no obvious way to keep this synchronized with Unix passwords. >3. We could set up a Kerberos system, but I do not see any way of > making Samba refer to Kerberos for password authentication. > >Any suggestions, please? > > >I recomend sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap as a good starting point for understanding the Samba+OpenLDAP+Heimdal interaction. It is true that Samba can't be a Kerberos enabled AD yet, but your *nix machines should be happy with Heimdal+OpenLDAP instead of the quite outdated an insecure NIS (just my 2c) Regards Geza