samba PDC with NIS, or other solution?
Christian Barth
barth at cck.uni-kl.de
Thu Nov 8 08:49:29 GMT 2001
Alex,
> thanks for the response christian. this sounds promising. is
> there any chance i could see your smb.conf file, or at least
> the parts that deal with samba pointing to the NIS?
samba is not pointing to NIS. You install it on the NIS-master like
on every other system. Your are just able to keep the passworts in
sync on the NIS-master, because samba is able to change the unix
password when ever the samba password is changed. And the change of
the unix passwort is put into nis. (You don't have the old clear text
password mostley needed to change the nis password directly from
samba).
> ive had a hell of a time finding any
> documentation on it. does /etc/shadow help to get around the plaintext
> password (NIS) vs. encrypted password (samba) problem?
No. You will have to use both at the same time. On systems with
shadow passworts the passworts are not stored in the world readable
/etc/passwd but in the root only /etc/shadow, nothing related to
samba.
Attached you find my smb.conf.
>
> thanks,
>
> alex
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Alex Lazarevich
> Systems Administrator
> Imaging Technology Group, http://www.itg.uiuc.edu
> Beckman Institute, http://www.beckman.uiuc.edu
> 405 N. Mathews, Urbana IL 61801 USA
> Ph: (217)244-1565 e-mail: alazarev at itg.uiuc.edu
> _________________________________________________
>
>
> On Thu, 8 Nov 2001, Christian Barth wrote:
>
> > > I've found a few things saying that samba PDC with NIS will work. But do
> > > the samba service and master NIS service need to be on the same machine?
> > Yes it will work. We do the same here. You have to use /etc/shadow
> > (/etc/passwd) as source for NIS and .../private/smbpasswd for the
> > PDC. If the NIS master and the PDC are the same machine you can
> > easely keep accounts (using your custem skripts) and password (using
> > "unix passwd sync" in smb.conf) in sync.
> >
> > With "unix passwd sync" the samba (the smbpasswd comand) changes the
> > unix password every time the encrypted password is changed. Mostly
> > yppasswd needs the old passwort to change the password even if
> > running as root. So you have to use passwd in the passwd chat in
> > smb.conf and push your NIS maps with cron or with in the chat. For
> > normal users of the NIS mater you can link the passwd command to the
> > smbpasswd command, so that they change both of their password at
> > once. On the NIS clients you should disable passwd, yppasswd and tell
> > the users to change their password on the master. Or you install a
> > basic samba there and use smbpasswd (havn't tried the last one).
> >
> > Christian
> >
> > @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_
> > @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_)
> > @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\
> > / Y \| \|/ /(_) \| |/ |
> > \ | \ |/ | / \ | / \|/ |/ \| \|/
> > jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|//
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
>
_(_)_ wWWWw _
@@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_
@@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_)
@@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\
/ Y \| \|/ /(_) \| |/ |
\ | \ |/ | / \ | / \|/ |/ \| \|/
jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|//
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-------------- next part --------------
[global]
#
# Allgemeines
#
workgroup = FBK42
server string = FBK Unix file and print server
; hosts allow =
debug level = 0
# Das Default f?r die Logdatei ist /usr/local/samba/var/log.smb und log.nmb
# F?r das Debuggen von Problemen ist es aber n?tzlich die diversen Variablen,
# z. B. %m, %U einzubauen. Aus Sicherheitsgr?nden sollten diese immer
# hinter log. stehen, nicht davor. Also z.B. log.%m, NIEMALS %m.log !!
# Da %m vom Clienten frei definierbar ist, ist damit besondere Vorsicht geboten.
# log file = /usr/local/samba/var/log.%U
max log size = 200
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
name resolve order = host wins bcast
time server = True
# Notwendig f?r den Gast-Zugang zum CD-ROM:
# map to guest = Bad User
# Wenn unbenutzt auskommentieren!
#
# Browsing und vergleichbares
#
local master = yes
os level = 65
domain master = yes
preferred master = yes
wins support = yes
wins proxy = yes
dns proxy = no
remote announce = 131.246.15.255
#
# Rechte, Schreibweisen, Locking, ....
#
create mask = 0771
directory mask = 0770
security mask = 0777
directory security mask = 0777
inherit permissions = yes
# Das ist seit 2.0.7 notwendig, sonst wird das s-Bit nicht sauber vererbt. CB
short preserve case = No
# spnn meckert wenn Dateiendungen nach dem Auspacken gro? sind. CB
veto files = /lost+found/
locking = yes
oplocks = true
level2 oplocks = true
blocking locks = true
#
# Erweiterung zur Handhabung der Dateinamen
#
# Allein der "character set" Eintrag reicht aus, damit Umlaute in den Dateinamen
# unter NT und Linux richtig angezeigt werden. Damit werden aber alle bestehenden
# Dateinamen falsch angezeigt. Es kann so gar vorkommen, dass die Dateien dann unter
# NT garnicht mehr angezeigt werden!! CB
# character set = iso8859-1
# client code page = 437
# Das hat zwar GO so, ist aber laut ManPage falsch. CB
#
# NT Domain ...
#
domain logons = yes
logon path = \\fbk\profiles
logon drive = h:
logon script = startnet.bat
### Tests wg. Geschwindigkeit
write cache size = 262144
read size = 65536
read prediction = true
# letzteres hat angeblich keinen Einfluss mehr
#####################################################################################
#
# Damit das unix password sync funktioniert mu?te f?r 1.9.18p10 die Datei
# source/chagpasswd.c vor dem compalieren editiert werden!
# Dies ist bei Neucompalierungen (anderer Versionen zu beachten!)
# F?r 2.0.0beta1 war das nicht mehr n?tig
# Allerdings ist RedHAT wg. PAM empfindlich was den Passwortwechsel betrifft:
# Anzahl der Buchstaben die gleichbleiben, ... zur?ckwechseln auf das alte, ..
#
# Vieleicht ist das auch ein "Time-Out"-Problem. bei 2.0.0beta2 hat es evtl.
# etwas genutzt den entsprechenden Wert in source/smbd/chagpasswd.c von 4 auf
# 6 oder 8 sec zu erh?hen. (?)
#
# Scheint immer noch aufzutreten. Deshalb beim Compalieren von samba-2.0.6 und 2.0.7 wiederum
# chagpasswd.c editiert um das Timeout drastisch zu erh?hen. (Zeilen 213 und 224)
# CB, 7.12.99
#
####################################################################################
unix password sync = True
# debug level = 100
# passwd chat debug = true
passwd chat = *New*password* %n\n *new*password* %n\n *updated\ssuccessfully*
passwd program = /usr/bin/passwd.unix %u
# # passwd was renamed to passwd.unix and /usr/bin/passwd is a link to /usr/local/samba/bin/smbpasswd
# # Just for the useres to keep it simple.
# # I use a cron job that dose a "cd /var/yp; make" every 15 minutes to push the NIS maps
# # and changed passwords.
# # I have seen "passwd program = /usr/bin/passwd.unix %u ; cd /var/yp; make" aswell
####################################################################################
#============================ Share Definitions ==============================
[printers]
path = /var/spool/samba
printing = bsd
# lpq command = /usr/bin/lpq -P%p
lpq command = /bin/echo
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -r -s -P%p %s
print command = /usr/local/samba/bin/print %p %s %m
printable = true
[homes]
comment = Home Directories
valid users = %S
# [homes] erzeugt shares der Art [<username>]
# Zu jeder share kann jeder user verbinden, auch zu den Systemaccounts !!
# obiger Eintrag verhindert das
invalid users = root
browsable = no
writable = yes
map hidden = yes
map system = yes
[u1]
comment = 1. Benutzerplatte
path = /u1
browsable = yes
writable = yes
map hidden = yes
map system = yes
[u2]
comment = 2. Benutzerplatte
path = /u2
browsable = yes
writable = yes
map hidden = yes
map system = yes
[FBK]
comment = FBK Austausch und Allgemein Verzeichnis
path = /FBK
browsable = yes
writable = yes
map archive = no
[Archiv]
comment = Eher statische Dinge
path = /archiv
browsable = yes
writable = yes
map archive = no
[space]
comment = Auslagerungsverzeichnise
path = /space
browsable = yes
writable = yes
map archive = no
[Program]
comment = Programmverzeichnis
# Eigentlich geh?hrt "biff" ja zu [homes], aber da scheint es
# machmal selbstst?ndige und damit doppelte Verbindungen zu geben.
# Jetzt hoffe ich, das das wenig benutzte [Program] auch brav
# verbunden wird. Vgl. Dazu auch \\fbk\netlogon\startnet.bat
preexec = /usr/local/samba/bin/biff %u %m %H &
postexec = /usr/local/samba/bin/biff.stop %u %m &
path = /archiv/Programme
browsable = yes
writable = yes
map archive = no
[cdrom]
comment = Das Server CD-ROM
preexec = mount /cdrom
postexec = umount /cdrom
path = /cdrom
browsable = no
writable = no
map archive = no
map hidden = no
map system = no
fake oplocks = yes
# fstype = CDFS
# public = yes
# Siehe daf?r auch "map to guest" in [global]
[profiles]
comment = Share f?r die NT-Profile
path = %H/profile
browsable = no
writeable = yes
map hidden = yes
map system = yes
[profiles2]
comment = Share f?r OS-Abh?nigie Profile
path = %H/profile.%a
browsable = no
writeable = yes
map hidden = yes
map system = yes
[netlogon]
comment = Net Logon Service
path = /usr/local/samba/netlogon
writeable = no
public = no
locking = no
share modes = no
map hidden = yes
map system = yes
# Aenderungen fuer die Policies
browseable = yes
case sensitive = no
preserve case = yes
default case = yes
[htdocs]
comment = WWW-Daten
path = /usr/local/apache/htdocs
guest ok = no
read only = no
create mask = 0774
directory mask = 0775
map archive = no
map hidden = no
map system = no
browsable = no
short preserve case = Yes
# [test]
# comment = Christian's Testshare
# path = /u1/barth/temp/spd
# browsable = no
# writable = yes
# locking = yes
# oplocks = true
# level2 oplocks = true
# blocking locks = true
More information about the samba
mailing list