Michael Urban ?rta:
>We have a Windows 2000 server with Terminal Services. It is an Active
>Directory master server for a microscopic network comprising itself and
>one Windows 2000 Workstation client. It is part of a network
>consisting of Unix machines: several Solaris 8 systems, a handful of
>Linux boxes, and a Mac OS X workstation. User authentication and other
>login information on this network is provided by NIS running on Solaris
>- but see below. Some of the Unix boxes are running Samba 3 to share
>files to Windows workstations.
>
>The services the W2K server provides are: file sharing to Windows
>workstations (these live in a different Active Directory domain);
>Windows applications for Unix users via Terminal Services and rdesktop;
>and authentication for the Samba servers. User NIS password changes
>are reflected from the Unix systems to W2K using Microsoft's services
>for Unix (in particular, MS provides a PAM module that sends password
>changes to the W2K server), so using W2K for authentication allows
>users to use their NIS passwords when connecting to Samba, rather than
>some Samba-only password.
>
>Our goal in life is to get rid of the W2K system. We don't want to be
>in the business of W2K server sysadmin, and the box running it is old
>and takes up a lot of space and energy. This would mean moving its
>files to a new Samba server.
>
>Is there a straightforward way to get the new server, as well as the
>existing ones, to authenticate in such a way that its passwords
>can be identical with the NIS/Unix passwords? Does this require
>some kind of Kerberos/LDAP infrastructure we do not now use? How
>would this be set up. I have read several documents, but it seems to
>me that:
>
>1. Samba can authenticate with PAM, but this uses cleartext passwords.
>2. Samba can authenticate from its own LDAP or file password database,
> but there is no obvious way to keep this synchronized with Unix passwords.
>3. We could set up a Kerberos system, but I do not see any way of
> making Samba refer to Kerberos for password authentication.
>
>Any suggestions, please?
>
>
>
I recomend
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
as a good starting point for understanding the Samba+OpenLDAP+Heimdal
interaction.
It is true that Samba can't be a Kerberos enabled AD yet, but your *nix
machines should be happy with Heimdal+OpenLDAP instead of the quite
outdated an insecure NIS (just my 2c)
Regards
Geza