D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] NIS (YP) + Samba ...

 

On Fri, 23 Sep 2011, Mark Evans wrote:

On 23/09/11 16:45, Gordon Henderson wrote:


Bit of an oddity here... Got a small network of Linux servers, all
running NIS and exporting filesystems via NFS - works well.

They now need Win clients to access it, so the obvious answer is Samba.
That's fine, but authentication is the issue - what gives these days?
The last time I did anything non trivial, I arranged samba to
authenticate to the Linux password file (via NIS), which worked really
well, and punters used the same login/password to access shares on
several servers, however it required the clients to have the "enable
plain-text password" registry setting which I understand is deprecated
these days.

Any suggestions? It's really quite some time since I've looked at all
this for anything other than a trivial installation.

The most obvious solution is to use LDAP. Which can hold both everything
the NIS maps do as well as the Windows password hashes and SIDS.

OK. LDAP server..

http://www.howtoforge.com/linux_ldap_authentication

appears to make it relatively easy to use LDAP under Linux, but what about samba..

http://wiki.samba.org/index.php/Samba_&_LDAP

OK, it's a possibility...

The crucial thing is that it honours unix group permissions though...

You might also want to enable "update encrypted" in smb.conf which will
automatically generate the LM and NT hashes. Regardless of if you have
the passdb backend set to either smbpasswd or tdbsam you can use pdbedit
-Lw to extract the hashes and Samba account flags in a form which can be
manipulated into an ldif file.

Life is so easy when you just have NIS to wory about!

The most basic solution I'm thinking of is to have one master samba
password file and simply copy it to the other servers every time I add a
user - crude... What's the magic runes/incantations require to have one

This could also lead to some strange things happening when passwords are
changed.

Sure, but it's managable, and samba can do a call-back to update the unix password file if someone changes their password - that just screws them for other samba servers :)

samba server as a master and the others authenticsating off it?

Punters will be using a mix of XP, Win7 and I heard some mutterings of
Vista too... A lot are using their 'home' laptop, (both in the office an
remotely via VPN), so I'm not sure forcing them into the whole Win
Domain thing is good either, but...

Do you just need access to shares or domain logins too? The latter can
require rather more work.

We just need access to multiple shares on multiple servers. Even if we had to type in a username+password for every share, it would be OK as long as they were the same for every server.

I'm not wedded to NIS - if LDAP can replace that, then fine.

I'm also re-reading all the samba stuff again. An added complication would appear to be that not all the servers are on the same LAN.

Ah well. Looks like some light reading this weekend!

Essentially what's happened is that a little R&D co. I support need to take on more staff and contractors - and 99% of these will be using their own laptops in office &| working from home so the nice tidy little Linux setup has been somewhat disrupted!

Cheers,

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq