[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Samba setup w/ ldap vs NIS/NT domain



Eric,

I have a small office Samba fileserver set up as a PDC, maybe it's overkill
but I like the fact that the Win9x users login, there's security and the
netlogon script maps what they need--seamlessly.  I will be installing
another small Samba fileserver here very shortly.

You wrote:
As I mentioned in an earlier email, the initial setup of OpenLDAP can be
a bit daunting, but once you get it running its great. I can't imagine
life without centralized authentication and authorization.

I'm very much interested in continuing the model that I have however it
would *really* make my life easier if usernames & passwords were to be
automatically synced between Samba & Linux.  It sounds like LDAP would solve
this (and maybe other issues as well).

I'm sure not a few would be very interested in resolving this automated sync
issue, so here goes:
1. What will it take to set up a Samba+LDAP server or is there an easier way
to sync between Samba and Linux?
2. Any advice for making this task less daunting for those of us who have
limited to no experience with LDAP?

Thanks in advance!

James Jensen


----- Original Message -----
From: "Eric Harrison" <eharrison mail mesd k12 or us>
To: <k12osn redhat com>
Sent: Monday, April 15, 2002 7:42 PM
Subject: Re: [K12OSN] Samba setup w/ ldap vs NIS/NT domain


On Sun, 14 Apr 2002, Mike Danahy wrote:

>I do know that the iplanet directory server has an addon for NT
>Synchronization services that will allow the sams database and/or the NT
>user database to snyc up with an iplanet ldap server. There are two
>software packages, one gets installed on the iplanet ldap server and the
>other is installed on the NT server.  From what I have read commmunications
>takes place between servers in clear text; ahh--more work to make it
>secure.   I took this info from "Solaris and LDAP Naming Services" by Tom
>Bialaski and Michael Haines.

The LDAP support in Samba 2.2.3a is not clear text (well, depends on how you
define clear text ;-). What we did was add the Lanman & NT passwords to the
LDAP schema and Samba queries for them there rather than /etc/smbpasswd.
Thus it is the hash that passed back and forth from the windows box and
Samba, which is the same level of security (or insecurity if you prefer)
that you get authenticating against a NT4.0 server.

I believe they are working on the Kerberos support for win2k/xp in Samba
3.0.

It sounds like iplanet is enabling clear-text passwords on the Windows box.
I had a few beers with John Terpstra (of Samba fame) a year or so ago and
he rattled off a long list of things that break on a Windows box when you
enable clear text passwords (including the obvious "clear text passwords").
I can't remember the exact details, I figured that remembering "don't do
that,
it's fundementally broken" was enough ;-)


>I guess one of the things I am getting out of this book and a couple of
>others is that LDAP or directory services adhere to standards in may ways,
>but their access control instructions can be vendor  specific and
>thus different.  This is a big "Oh Shucks!" because it only makes sense
>for budget straped schools to have operational transparency all across the
>board with differences saved for the front-end.  There are glue products
>out there that make them behave as one, but I suspect they require a
>chunk of time and monies.

Samba + Netatalk + LDAP does a pretty good job of glueing together
everything in our shop. Too bad all operating systems didn't use PAM ;-)

As I mentioned in an earlier email, the initial setup of OpenLDAP can be
a bit daunting, but once you get it running its great. I can't imagine
life without centralized authentication and authorization.

>That being said, there is no doubt the industry will head the directory
>server route.  I suspect that everything from library automation
>systems to school management systems will be directory service
>enabled.  More vendors seem to be going this route!  Wouldn't it be
>nice if your school just purchased a library automation system and
>you only had to ldap point to your users instead of typing in another set
>of accounts.
>
>Our service unit will be doing everything ldap or directory server
>authentication/authorization next year.  Being faced with a situation
>similar to yours, but without a timeline yet, we will probably take
>advantage of the commercial iplanet directory server software and use
>links in openldap to the things we need.  Having one stop shopping
>autorization/authentication and large scale management of computer
>resources is only possible with directory services.
>
>
>On another note, I have heard that Novell's NDS and OpenLdap work real
>well together.

I've always been impressed with NDS. Too bad it's too expensive for us :-(

-Eric



_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]