[TriLUG] Samba Question

Jon Carnes jonc at nc.rr.com
Mon Mar 10 11:18:41 EST 2003 

Can the Unix guys bring up their own Windows box? ;-)

All you need is a conduit to get the ADS info into LDAP. Since only
Windows currently talks to ADS you have to do it via a Windows server
(which brings up the point: what the f**k use is an
authentication/directory protocol that doesn't work on all your key
servers?)

Looks like you will be waiting for the Samba group!

Take care - Jon
  
On Mon, 2003-03-10 at 10:45, Roy Vestal wrote:
> Problem is, we're not allowed to mod the Windows servers. It has to be fully
> from the *NIX end.
> ----- Original Message -----
> From: "Jon Carnes" <jonc at nc.rr.com>
> To: "Triangle Linux Users Group" <trilug at trilug.org>
> Sent: Sunday, March 09, 2003 6:57 PM
> Subject: Re: [TriLUG] Samba Question
> 
> 
> > I was just looking at some ADS/Linux integration stuff last week for a
> > possible client.  Looks a bit complex, but from what I've read, very
> > do-able.
> >
> > Here on some sites that cover the use of Active Directory for
> > authenticating Unix/Linux servers:
> >
> > ======
> > http://www.css-solutions.ca/ad4unix/
> >
> > Microsoft Active Directory for Unixes
> >
> > MKSADExtPlugin
> >
> > MKSADPlugins - is an extension plug-in for the Microsoft Active
> > Directory Server, that enable for the UNIX related information to be
> > stored in Active Directory.
> >
> > Primary goal of that solution - create the unified account database for
> > Windows and UNIX servers.
> >
> > Most organizations, that have large user database (relatively large :-),
> > for me 300 accounts enough :-)) and have heterogeneous network with
> > Windows and UNIX servers, have to maintain and synchronize the user
> > accounts databases on both systems. Also, if NIS or similar (like LDAP)
> > services is not used for UNIX side, there is problem to synchronize the
> > passwd and shadow database on all UNIX computers.
> >
> > That plug-in could help organize a wide accounts information
> > infrastructure that will be used by Windows computers natively (as
> > members of Active Directory Domain) and by any UNIX computers, that
> > support LDAP access to Name Service Information.
> >
> >
> > Supported platforms now:
> >
> > - Any platform that supported by PADL NSS-LDAP and PAM-LDAP modules
> > Linux, Solaris (read please Documentation section about Solaris8) for
> > sure... other - check on PADL web site
> > - AIX v.4 and v.5
> >
> > ======
> > http://online.securityfocus.com/infocus/1563
> >
> > Active Directory and Linux
> >  by David Elson
> >  last updated April 3, 2002
> >
> >
> >  Introduction
> >
> >  This article discusses the use of Microsoft's Active Directory as an
> > authentication service for Linux systems. Although Linux has a perfectly
> > good directory based authentication system (OpenLDAP), it may be
> > desirable on some sites to authenticate Linux users against a Microsoft
> > Windows 2000 server.
> >
> > Although this article discusses Linux (because that is the system I have
> > available in my office), this authentication mechanism works well
> > against other Unix systems that have a PAM/NSS mechanism. Currently that
> > includes Solaris, although discussion has taken place on the possibility
> > of getting this to work on HP-UX. Since most of the work is done at the
> > Windows 2000 end, the instructions for getting this to work on Solaris
> > are not too different from what I have described here.
> >
> > ======
> >
> > I hope you find the above articles useful. Of course if you can wait
> > till the end of Fall before needing the ADS/Linux integration then the
> > new Samba tools for ADS should greatly simplify the task!
> >
> > Jon Carnes
> >
> > ======
> >
> > On Sun, 2003-03-09 at 14:38, Roy Vestal wrote:
> > > Glad to help. Sorry it took so long to get back to you.
> > >
> > > BTW, has anyone investigated Samba and Win2k/XP ADS? I just found out we
> > > are going ADS come hell or highwater, we're Exchange dependants and
> > > without a long discussion because of it, we have to use ADS in order to
> > > use Exchange 2002.
> > >
> > > I'm not asking for comments, snickers or the like on what I am required
> to
> > > use, just anything folks may have run into.
> > >
> > > TIA.
> > >
> > > On 27 Feb 2003, Mark Fowle wrote:
> > >
> > > > I removed all the locks and upgraded to 2.2.7a and it seems to work
> > > > better now.  Thanks!
> > > >
> > > > Mark
> > > >
> > > > On Thu, 2003-02-27 at 13:21, Roy Vestal wrote:
> > > > > One thing that I've run into is the samba locks that occur on the
> samba
> > > > > server.  shutdown the service (both smbd and nmbd) and check
> > > > > /var/opt/samba/locks. Usually when I have communication errors,
> removing the
> > > > > temporary locks seems to fix it. Once you've removed them, simply
> restart
> > > > > the services.
> > > > > ----- Original Message -----
> > > > > From: "Mark Fowle" <mark at thefowles.com>
> > > > > To: "trilug" <trilug at trilug.org>
> > > > > Sent: Saturday, February 22, 2003 10:57 PM
> > > > > Subject: Re: [TriLUG] Samba Question
> > > > >
> > > > >
> > > > > > On Sat, 2003-02-22 at 19:12, Jon Carnes wrote:
> > > > > > > What happens when you restart the service on the server (or just
> the
> > > > > > > nmdb)?
> > > > > > >
> > > > > > I don't see any error messages in the nmdb.log -- but even
> restarting
> > > > > > the nmdb doesn't seem to cure it.
> > > > > >
> > > > > > > I think this error has something to do with the "ultra secret
> security"
> > > > > > > number that is generated by a PDC for a domain and then shared
> with
> > > > > > > authenticated machines at the point when you authenticate them.
> If the
> > > > > > > server can't access this "ultra secret security" number then it
> can't
> > > > > > > authenticate any other windows (samba) server to the domain, and
> it
> > > > > > > can't add a new server to the domain.
> > > > > > >
> > > > > > Is this the secrets.tdb ? Is there a way to regenerate this file
> or some
> > > > > > way to find out exactly whats missing without dumping everything
> and
> > > > > > starting over?
> > > > > >
> > > > > > > A domain has a SAM associated with it that authenticates each
> machine as
> > > > > > > being a member of the domain.  Each server on the domain has an
> > > > > > > individual SAM associated with it that authenticates that
> servers
> > > > > > > identity.
> > > > > > >
> > > > > > Should there also be a SAM account in the smbpasswd ?  I've never
> seen a
> > > > > > reference that says to....
> > > > > >
> > > > > > Thanks,
> > > > > > Mark
> > > > > >
> > > > > >
> > > > > > > _______________________________________________
> > > > > > > TriLUG mailing list
> > > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > > TriLUG Organizational FAQ:
> > > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > TriLUG mailing list
> > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > TriLUG Organizational FAQ:
> > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > > >
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > TriLUG mailing list
> > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > TriLUG Organizational FAQ:
> > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > >
> > > >
> > > > _______________________________________________
> > > > TriLUG mailing list
> > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > TriLUG Organizational FAQ:
> > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > >
> > > >
> > >
> > > --
> > > ---------------------------------------
> > > Roy Vestal
> > > rvestal at trilug.org
> > > http://www.trilug.org/~rvestal
> > >
> > > I'm not a geek, I just play one on tv.
> > > ---------------------------------------
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list