Hi,

The more conventional way of syncing windows passwords (and thus samba
passwords, if you use encrypted passwords) is to set up a PDC.

We run a network of about mainly windows NT clients, with 3 linux
servers.

1)PDC
We have a samba PDC, which also does most of the fileserving and
backups.

2)Printserver
The printserver is joined to the domain, and handles all printing
(cups/samba), and file serving for the intranet page it hosts

3)Mail/web/proxy
We have postfix running as MTA, use wu-imap for imap/pop, squid
(authenticating off the PDC) for proxy, with samba for fileserving for
editing the webpage and for sending popups when mail arrives.

Samba has the "unix password sync" option (which we currently don't use)
which would allow samba to change your unix password when you change
your samba password. Since the windows clients are in the domain, users
can change their passwords from windows(under NT, hit CTRL-ALT-DEL while
logged in). I don't think this would work without a domain, and you
can't

I am currently struggling with pam-smb to get authentication working for
our imap server from the PDC (any help from pam gurus would be
appreciated).

Since only the admins need shell accounts, we don't sync passwords from
samba, and since we only have a few linux desktop machines, we don't use
NFS or NIS.

My one concern currently is that using the windows password for the
squid proxy means the password is in cleartext. Since we are on a
switched network, though, this shouldn't be a problem if we can ensure
that noone runs packet sniffers. Since NT isn't really multi-user, this
means not allowing shell accounts on the linux boxes, which we don't.

I still need to investigate the IMAP server, I think we are using
cleartext currently, and probably need to ssl-wrap the imap server
(outlook, outlook express and netscape can handle
this apparently)

Buchan

Homer Shimpsian wrote:
>
> Can anyone discuss the proper way to do passwords using multiple Linux
> servers, Samba and Postfix with Linux and Win9x/NT clients.
>
> Right now I create a user account on the sever, then do the Samba with
> "smbpasswd -a username" then I go into my NIS/yp stuff and do a "make" to
> push the account across all the servers.
>
> Some concerns are:
>
> 1. We'd like to have users change their network password using the Samba
> admin tool.. then run a script that could push that new password out via
> NIS make to all the servers. Any ideas?
>
> 2. It would be nice if passwords were stored in only one place, right?
> Instead of locally, in the yp, and smbpasswd.

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work               +27 82 472 2231 * +27 21 808 2497
Stellenbosch Automotive Engineering         http://www.cae.co.za

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]