[TriLUG] Samba Question

Turnpike Man turnpike420 at yahoo.com
Mon Mar 10 12:23:53 EST 2003 

If I recall, doesn't that AD4unix change the schema a bit, or add something to
it??  Wouldn't that change replicate to the other Domain Controllers?
--
Let's not forget that ADS is "not exactly" LDAPv3, although they say... well,
they say what they say.  Passwords will not be found in the directory...
passwords are maintained using Kerberos and the SAM database (if I have my
terminology right)... you can actually use some standard LDAP browsers
available to browse the M$ ADS, my findings were disappointing, so I try to
avoid looking at it and just take it for what it is... being that I am running
a w2k ads enviro, I kinda have to.

What I'm hoping to vision for the future is Novell eDir (if this product does
what it says and is as good as I hear) b/c our offices have already begun to
expand globally and I'd rather something better than ADS be the forefront of
our directory structure.  Novell is giving away 250,000 licenses of Novell eDir
right now, I got my key so I can play with it!  When I'll get started is
another question... 

David (my$0.02)


--- Jon Carnes <jonc at nc.rr.com> wrote:
> Can the Unix guys bring up their own Windows box? ;-)
> 
> All you need is a conduit to get the ADS info into LDAP. Since only
> Windows currently talks to ADS you have to do it via a Windows server
> (which brings up the point: what the f**k use is an
> authentication/directory protocol that doesn't work on all your key
> servers?)
> 
> Looks like you will be waiting for the Samba group!
> 
> Take care - Jon
>   
> On Mon, 2003-03-10 at 10:45, Roy Vestal wrote:
> > Problem is, we're not allowed to mod the Windows servers. It has to be
> fully
> > from the *NIX end.
> > ----- Original Message -----
> > From: "Jon Carnes" <jonc at nc.rr.com>
> > To: "Triangle Linux Users Group" <trilug at trilug.org>
> > Sent: Sunday, March 09, 2003 6:57 PM
> > Subject: Re: [TriLUG] Samba Question
> > 
> > 
> > > I was just looking at some ADS/Linux integration stuff last week for a
> > > possible client.  Looks a bit complex, but from what I've read, very
> > > do-able.
> > >
> > > Here on some sites that cover the use of Active Directory for
> > > authenticating Unix/Linux servers:
> > >
> > > ======
> > > http://www.css-solutions.ca/ad4unix/
> > >
> > > Microsoft Active Directory for Unixes
> > >
> > > MKSADExtPlugin
> > >
> > > MKSADPlugins - is an extension plug-in for the Microsoft Active
> > > Directory Server, that enable for the UNIX related information to be
> > > stored in Active Directory.
> > >
> > > Primary goal of that solution - create the unified account database for
> > > Windows and UNIX servers.
> > >
> > > Most organizations, that have large user database (relatively large :-),
> > > for me 300 accounts enough :-)) and have heterogeneous network with
> > > Windows and UNIX servers, have to maintain and synchronize the user
> > > accounts databases on both systems. Also, if NIS or similar (like LDAP)
> > > services is not used for UNIX side, there is problem to synchronize the
> > > passwd and shadow database on all UNIX computers.
> > >
> > > That plug-in could help organize a wide accounts information
> > > infrastructure that will be used by Windows computers natively (as
> > > members of Active Directory Domain) and by any UNIX computers, that
> > > support LDAP access to Name Service Information.
> > >
> > >
> > > Supported platforms now:
> > >
> > > - Any platform that supported by PADL NSS-LDAP and PAM-LDAP modules
> > > Linux, Solaris (read please Documentation section about Solaris8) for
> > > sure... other - check on PADL web site
> > > - AIX v.4 and v.5
> > >
> > > ======
> > > http://online.securityfocus.com/infocus/1563
> > >
> > > Active Directory and Linux
> > >  by David Elson
> > >  last updated April 3, 2002
> > >
> > >
> > >  Introduction
> > >
> > >  This article discusses the use of Microsoft's Active Directory as an
> > > authentication service for Linux systems. Although Linux has a perfectly
> > > good directory based authentication system (OpenLDAP), it may be
> > > desirable on some sites to authenticate Linux users against a Microsoft
> > > Windows 2000 server.
> > >
> > > Although this article discusses Linux (because that is the system I have
> > > available in my office), this authentication mechanism works well
> > > against other Unix systems that have a PAM/NSS mechanism. Currently that
> > > includes Solaris, although discussion has taken place on the possibility
> > > of getting this to work on HP-UX. Since most of the work is done at the
> > > Windows 2000 end, the instructions for getting this to work on Solaris
> > > are not too different from what I have described here.
> > >
> > > ======
> > >
> > > I hope you find the above articles useful. Of course if you can wait
> > > till the end of Fall before needing the ADS/Linux integration then the
> > > new Samba tools for ADS should greatly simplify the task!
> > >
> > > Jon Carnes
> > >
> > > ======
> > >
> > > On Sun, 2003-03-09 at 14:38, Roy Vestal wrote:
> > > > Glad to help. Sorry it took so long to get back to you.
> > > >
> > > > BTW, has anyone investigated Samba and Win2k/XP ADS? I just found out
> we
> > > > are going ADS come hell or highwater, we're Exchange dependants and
> > > > without a long discussion because of it, we have to use ADS in order to
> > > > use Exchange 2002.
> > > >
> > > > I'm not asking for comments, snickers or the like on what I am required
> > to
> > > > use, just anything folks may have run into.
> > > >
> > > > TIA.
> > > >
> > > > On 27 Feb 2003, Mark Fowle wrote:
> > > >
> > > > > I removed all the locks and upgraded to 2.2.7a and it seems to work
> > > > > better now.  Thanks!
> > > > >
> > > > > Mark
> > > > >
> > > > > On Thu, 2003-02-27 at 13:21, Roy Vestal wrote:
> > > > > > One thing that I've run into is the samba locks that occur on the
> > samba
> > > > > > server.  shutdown the service (both smbd and nmbd) and check
> > > > > > /var/opt/samba/locks. Usually when I have communication errors,
> > removing the
> > > > > > temporary locks seems to fix it. Once you've removed them, simply
> > restart
> > > > > > the services.
> > > > > > ----- Original Message -----
> > > > > > From: "Mark Fowle" <mark at thefowles.com>
> > > > > > To: "trilug" <trilug at trilug.org>
> > > > > > Sent: Saturday, February 22, 2003 10:57 PM
> > > > > > Subject: Re: [TriLUG] Samba Question
> > > > > >
> > > > > >
> > > > > > > On Sat, 2003-02-22 at 19:12, Jon Carnes wrote:
> > > > > > > > What happens when you restart the service on the server (or
> just
> > the
> > > > > > > > nmdb)?
> > > > > > > >
> > > > > > > I don't see any error messages in the nmdb.log -- but even
> > restarting
> > > > > > > the nmdb doesn't seem to cure it.
> > > > > > >
> > > > > > > > I think this error has something to do with the "ultra secret
> > security"
> > > > > > > > number that is generated by a PDC for a domain and then shared
> > with
> > > > > > > > authenticated machines at the point when you authenticate them.
> > If the
> > > > > > > > server can't access this "ultra secret security" number then it
> > can't
> > > > > > > > authenticate any other windows (samba) server to the domain,
> and
> > it
> > > > > > > > can't add a new server to the domain.
> > > > > > > >
> > > > > > > Is this the secrets.tdb ? Is there a way to regenerate this file
> > or some
> > > > > > > way to find out exactly whats missing without dumping everything
> > and
> > > > > > > starting over?
> > > > > > >
> > > > > > > > A domain has a SAM associated with it that authenticates each
> > machine as
> > > > > > > > being a member of the domain.  Each server on the domain has an
> > > > > > > > individual SAM associated with it that authenticates that
> > servers
> > > > > > > > identity.
> > > > > > > >
> > > > > > > Should there also be a SAM account in the smbpasswd ?  I've never
> > seen a
> > > > > > > reference that says to....
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Mark
> > > > > > >
> > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > TriLUG mailing list
> > > > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > > > TriLUG Organizational FAQ:
> > > > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > TriLUG mailing list
> > > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > > TriLUG Organizational FAQ:
> > > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > TriLUG mailing list
> > > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > > TriLUG Organizational FAQ:
> > > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > TriLUG mailing list
> > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > TriLUG Organizational FAQ:
> > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > > >
> > > > >
> > > >
> > > > --
> > > > ---------------------------------------
> > > > Roy Vestal
> > > > rvestal at trilug.org
> > > > http://www.trilug.org/~rvestal
> > > >
> > > > I'm not a geek, I just play one on tv.
> > > > ---------------------------------------
> > > >
> > > > _______________________________________________
> > > > TriLUG mailing list
> > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > TriLUG Organizational FAQ:
> > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> > 
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

More information about the TriLUG mailing list