[TriLUG] Samba Question

Roy Vestal rvestal at trilug.org
Mon Mar 10 10:45:49 EST 2003


Problem is, we're not allowed to mod the Windows servers. It has to be fully
from the *NIX end.
----- Original Message -----
From: "Jon Carnes" <jonc at nc.rr.com>
To: "Triangle Linux Users Group" <trilug at trilug.org>
Sent: Sunday, March 09, 2003 6:57 PM
Subject: Re: [TriLUG] Samba Question


> I was just looking at some ADS/Linux integration stuff last week for a
> possible client.  Looks a bit complex, but from what I've read, very
> do-able.
>
> Here on some sites that cover the use of Active Directory for
> authenticating Unix/Linux servers:
>
> ======
> http://www.css-solutions.ca/ad4unix/
>
> Microsoft Active Directory for Unixes
>
> MKSADExtPlugin
>
> MKSADPlugins - is an extension plug-in for the Microsoft Active
> Directory Server, that enable for the UNIX related information to be
> stored in Active Directory.
>
> Primary goal of that solution - create the unified account database for
> Windows and UNIX servers.
>
> Most organizations, that have large user database (relatively large :-),
> for me 300 accounts enough :-)) and have heterogeneous network with
> Windows and UNIX servers, have to maintain and synchronize the user
> accounts databases on both systems. Also, if NIS or similar (like LDAP)
> services is not used for UNIX side, there is problem to synchronize the
> passwd and shadow database on all UNIX computers.
>
> That plug-in could help organize a wide accounts information
> infrastructure that will be used by Windows computers natively (as
> members of Active Directory Domain) and by any UNIX computers, that
> support LDAP access to Name Service Information.
>
>
> Supported platforms now:
>
> - Any platform that supported by PADL NSS-LDAP and PAM-LDAP modules
> Linux, Solaris (read please Documentation section about Solaris8) for
> sure... other - check on PADL web site
> - AIX v.4 and v.5
>
> ======
> http://online.securityfocus.com/infocus/1563
>
> Active Directory and Linux
>  by David Elson
>  last updated April 3, 2002
>
>
>  Introduction
>
>  This article discusses the use of Microsoft's Active Directory as an
> authentication service for Linux systems. Although Linux has a perfectly
> good directory based authentication system (OpenLDAP), it may be
> desirable on some sites to authenticate Linux users against a Microsoft
> Windows 2000 server.
>
> Although this article discusses Linux (because that is the system I have
> available in my office), this authentication mechanism works well
> against other Unix systems that have a PAM/NSS mechanism. Currently that
> includes Solaris, although discussion has taken place on the possibility
> of getting this to work on HP-UX. Since most of the work is done at the
> Windows 2000 end, the instructions for getting this to work on Solaris
> are not too different from what I have described here.
>
> ======
>
> I hope you find the above articles useful. Of course if you can wait
> till the end of Fall before needing the ADS/Linux integration then the
> new Samba tools for ADS should greatly simplify the task!
>
> Jon Carnes
>
> ======
>
> On Sun, 2003-03-09 at 14:38, Roy Vestal wrote:
> > Glad to help. Sorry it took so long to get back to you.
> >
> > BTW, has anyone investigated Samba and Win2k/XP ADS? I just found out we
> > are going ADS come hell or highwater, we're Exchange dependants and
> > without a long discussion because of it, we have to use ADS in order to
> > use Exchange 2002.
> >
> > I'm not asking for comments, snickers or the like on what I am required
to
> > use, just anything folks may have run into.
> >
> > TIA.
> >
> > On 27 Feb 2003, Mark Fowle wrote:
> >
> > > I removed all the locks and upgraded to 2.2.7a and it seems to work
> > > better now.  Thanks!
> > >
> > > Mark
> > >
> > > On Thu, 2003-02-27 at 13:21, Roy Vestal wrote:
> > > > One thing that I've run into is the samba locks that occur on the
samba
> > > > server.  shutdown the service (both smbd and nmbd) and check
> > > > /var/opt/samba/locks. Usually when I have communication errors,
removing the
> > > > temporary locks seems to fix it. Once you've removed them, simply
restart
> > > > the services.
> > > > ----- Original Message -----
> > > > From: "Mark Fowle" <mark at thefowles.com>
> > > > To: "trilug" <trilug at trilug.org>
> > > > Sent: Saturday, February 22, 2003 10:57 PM
> > > > Subject: Re: [TriLUG] Samba Question
> > > >
> > > >
> > > > > On Sat, 2003-02-22 at 19:12, Jon Carnes wrote:
> > > > > > What happens when you restart the service on the server (or just
the
> > > > > > nmdb)?
> > > > > >
> > > > > I don't see any error messages in the nmdb.log -- but even
restarting
> > > > > the nmdb doesn't seem to cure it.
> > > > >
> > > > > > I think this error has something to do with the "ultra secret
security"
> > > > > > number that is generated by a PDC for a domain and then shared
with
> > > > > > authenticated machines at the point when you authenticate them.
If the
> > > > > > server can't access this "ultra secret security" number then it
can't
> > > > > > authenticate any other windows (samba) server to the domain, and
it
> > > > > > can't add a new server to the domain.
> > > > > >
> > > > > Is this the secrets.tdb ? Is there a way to regenerate this file
or some
> > > > > way to find out exactly whats missing without dumping everything
and
> > > > > starting over?
> > > > >
> > > > > > A domain has a SAM associated with it that authenticates each
machine as
> > > > > > being a member of the domain.  Each server on the domain has an
> > > > > > individual SAM associated with it that authenticates that
servers
> > > > > > identity.
> > > > > >
> > > > > Should there also be a SAM account in the smbpasswd ?  I've never
seen a
> > > > > reference that says to....
> > > > >
> > > > > Thanks,
> > > > > Mark
> > > > >
> > > > >
> > > > > > _______________________________________________
> > > > > > TriLUG mailing list
> > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > TriLUG Organizational FAQ:
> > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > TriLUG mailing list
> > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > TriLUG Organizational FAQ:
> > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > TriLUG mailing list
> > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > TriLUG Organizational FAQ:
> > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> >
> > --
> > ---------------------------------------
> > Roy Vestal
> > rvestal at trilug.org
> > http://www.trilug.org/~rvestal
> >
> > I'm not a geek, I just play one on tv.
> > ---------------------------------------
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
>




More information about the TriLUG mailing list