smbpasswd & NIS

Roeland M.J. Meyer rmeyer at mhsc.com
Thu Mar 26 08:07:35 GMT 1998 

Part of what I've been working on the past few months is bringing up a
SSH-based mail service (If you want more on that then check my URL).
Because we are a Caldera VAR we naturally are running OpenLinux as servers.
I believe this is based on RedHat, although we have *many* add-on packages
(about 52 of them, I believe). Since one of them is NIS (multiple servers)
the Caldera user management system does not work and LISA sucks. 

We expect to handle up to 10K users per server <grin> plus corporate staff,
in the same uuid space. With this type of load, manual user management, ala
traditional Linux/BSD, is NOT an option. Especially, since normal users do
not have shell access and Accountholders(customers) do not even get Samba
access.

We looked at PAM and decided that dox were not in good enough shape.
KerbNet was actually tried, until we ran into the same documentation
problem, that cost us a week (24x12). Critical pieces were missing. We
reluctantly, about 5 weeks ago, came to the conclusion that we'd better
write it ourselves and quite working so hard trying to do it the easy way.
We could work on our own kludges more effectively.

What we came up with was a four-tier user management system. Part of the
user management is done on postgreSQL. However, it needed a bottom-end.
This was a level layer of bash and mostly perl5 scripts. It is very
generic, automates uuid assignments according to tier, creates $HOMEs,
changes passwd and smbpasswd, adds and deletes users, moves users between
tiers, different /home for each tier, etc. 

The system only adds one extra config file in /etc, it's flat text which
could be dbm but it's small so why bother. Otherwise, there are about 20
scripts, three in bash and the rest in perl. The smbpasswd file is shared
via NFS because NIS doesn't gain you anything. A shell account has equal
chance at getting to it and an RPC failure will kill access equally. If NIS
won't work then NFS won't either the converse is also true, for most
failure-modes. 

It's still not quite finished since I also have to manage groups. But, I
have to write this up anyway and it would be only a small problem to put in
a little extra for distro. The question is, does anyone want it?

In case anyone wants to know, being the CEO of this place does give me the
authority to make this offer.

At 12:47 3/26/98 +1100, Adam Williams wrote:
>	I've hacked a yppasswdd, yppasswd pair that updates both the NIS maps
>on the server and the smbpasswd file.  I based in loosly on David Bannon's
hack
>of the passwd program that does the same thing.  I send a clear text new
>password to the server which encypts it and write it to /etc/passwd, and
called
>smbpasswd {USERNAME} {PASSWORD} to set the SAMBA passwords.  It would be best
>to do both encrpts at the client but I needed somethinq quick.  If you
>interested send me e-mail.
>
>	My programs were built on Redhat 5.0 from the src.rpm of yppasswd,
> also built on Redhat 4.2 (non glibc), and the yppasswd client on AIX 4.x
> 
___________________________________________________ 
Roeland M.J. Meyer, ISOC (InterNIC RM993) 
e-mail:        <mailto:rmeyer at mhsc.com>mailto:rmeyer at mhsc.com 
Personalweb pages:
<http://www.mhsc.com/~rmeyer>http://www.mhsc.com/~rmeyer 
Company web-site:    <http://www.mhsc.com/>http://www.mhsc.com/ 
___________________________________________ 
SecureMail from MHSC.NET is coming soon!

More information about the samba-ntdom mailing list