[TriLUG] Samba Question

Jon Carnes jonc at nc.rr.com
Sun Mar 9 18:57:10 EST 2003 

I was just looking at some ADS/Linux integration stuff last week for a
possible client.  Looks a bit complex, but from what I've read, very
do-able. 

Here on some sites that cover the use of Active Directory for
authenticating Unix/Linux servers:

======
http://www.css-solutions.ca/ad4unix/

Microsoft Active Directory for Unixes

MKSADExtPlugin

MKSADPlugins - is an extension plug-in for the Microsoft Active
Directory Server, that enable for the UNIX related information to be
stored in Active Directory.

Primary goal of that solution - create the unified account database for
Windows and UNIX servers.

Most organizations, that have large user database (relatively large :-),
for me 300 accounts enough :-)) and have heterogeneous network with
Windows and UNIX servers, have to maintain and synchronize the user
accounts databases on both systems. Also, if NIS or similar (like LDAP)
services is not used for UNIX side, there is problem to synchronize the
passwd and shadow database on all UNIX computers.

That plug-in could help organize a wide accounts information
infrastructure that will be used by Windows computers natively (as
members of Active Directory Domain) and by any UNIX computers, that
support LDAP access to Name Service Information.


Supported platforms now:

- Any platform that supported by PADL NSS-LDAP and PAM-LDAP modules 
Linux, Solaris (read please Documentation section about Solaris8) for
sure... other - check on PADL web site
- AIX v.4 and v.5

======
http://online.securityfocus.com/infocus/1563

Active Directory and Linux 
 by David Elson 
 last updated April 3, 2002 
 

 Introduction 

 This article discusses the use of Microsoft's Active Directory as an
authentication service for Linux systems. Although Linux has a perfectly
good directory based authentication system (OpenLDAP), it may be
desirable on some sites to authenticate Linux users against a Microsoft
Windows 2000 server. 

Although this article discusses Linux (because that is the system I have
available in my office), this authentication mechanism works well
against other Unix systems that have a PAM/NSS mechanism. Currently that
includes Solaris, although discussion has taken place on the possibility
of getting this to work on HP-UX. Since most of the work is done at the
Windows 2000 end, the instructions for getting this to work on Solaris
are not too different from what I have described here.

======

I hope you find the above articles useful. Of course if you can wait
till the end of Fall before needing the ADS/Linux integration then the
new Samba tools for ADS should greatly simplify the task!

Jon Carnes

======

On Sun, 2003-03-09 at 14:38, Roy Vestal wrote:
> Glad to help. Sorry it took so long to get back to you.
> 
> BTW, has anyone investigated Samba and Win2k/XP ADS? I just found out we 
> are going ADS come hell or highwater, we're Exchange dependants and 
> without a long discussion because of it, we have to use ADS in order to 
> use Exchange 2002.
> 
> I'm not asking for comments, snickers or the like on what I am required to 
> use, just anything folks may have run into.
> 
> TIA.
> 
> On 27 Feb 2003, Mark Fowle wrote:
> 
> > I removed all the locks and upgraded to 2.2.7a and it seems to work
> > better now.  Thanks!
> > 
> > Mark
> > 
> > On Thu, 2003-02-27 at 13:21, Roy Vestal wrote:
> > > One thing that I've run into is the samba locks that occur on the samba
> > > server.  shutdown the service (both smbd and nmbd) and check
> > > /var/opt/samba/locks. Usually when I have communication errors, removing the
> > > temporary locks seems to fix it. Once you've removed them, simply restart
> > > the services.
> > > ----- Original Message -----
> > > From: "Mark Fowle" <mark at thefowles.com>
> > > To: "trilug" <trilug at trilug.org>
> > > Sent: Saturday, February 22, 2003 10:57 PM
> > > Subject: Re: [TriLUG] Samba Question
> > > 
> > > 
> > > > On Sat, 2003-02-22 at 19:12, Jon Carnes wrote:
> > > > > What happens when you restart the service on the server (or just the
> > > > > nmdb)?
> > > > >
> > > > I don't see any error messages in the nmdb.log -- but even restarting
> > > > the nmdb doesn't seem to cure it.
> > > >
> > > > > I think this error has something to do with the "ultra secret security"
> > > > > number that is generated by a PDC for a domain and then shared with
> > > > > authenticated machines at the point when you authenticate them.  If the
> > > > > server can't access this "ultra secret security" number then it can't
> > > > > authenticate any other windows (samba) server to the domain, and it
> > > > > can't add a new server to the domain.
> > > > >
> > > > Is this the secrets.tdb ? Is there a way to regenerate this file or some
> > > > way to find out exactly whats missing without dumping everything and
> > > > starting over?
> > > >
> > > > > A domain has a SAM associated with it that authenticates each machine as
> > > > > being a member of the domain.  Each server on the domain has an
> > > > > individual SAM associated with it that authenticates that servers
> > > > > identity.
> > > > >
> > > > Should there also be a SAM account in the smbpasswd ?  I've never seen a
> > > > reference that says to....
> > > >
> > > > Thanks,
> > > > Mark
> > > >
> > > >
> > > > > _______________________________________________
> > > > > TriLUG mailing list
> > > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > > TriLUG Organizational FAQ:
> > > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > >
> > > >
> > > > _______________________________________________
> > > > TriLUG mailing list
> > > >     http://www.trilug.org/mailman/listinfo/trilug
> > > > TriLUG Organizational FAQ:
> > > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > > >
> > > >
> > > 
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > 
> > 
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > 
> > 
> 
> -- 
> ---------------------------------------
> Roy Vestal
> rvestal at trilug.org
> http://www.trilug.org/~rvestal
> 
> I'm not a geek, I just play one on tv.
> ---------------------------------------
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list