A question about Auth Backends

Wed Mar 28 04:54:48 GMT 2001

Hi Doug,

Doug Marcey wrote:
> 
> I have a question or two (six?) here. First let me describe my situation.
> 
> I work at a company that has been developing software for Irix for quite
> some time. As a result our entire company infrastructure is built around
> Unix machines. Right now we have linux for almost all of our network serving
> needs. Our web, mail, firewall, file, cvs and everything are served off of
> either linux, or openbsd. The only exception is a novell 3.20 server that
> the administrative side of the company uses (and has been using for 6 or 7
> years now).
> 
> Recently (last two years) we have been developing a cross platform version
> of our software that uses a java gui and c++ backend to provide the same
> look and feel across irix, solaris, linux, hp/ux, windows 9x/ME/NT/2000, and
> vxworks. Windows has become a very popular platform for the software and as
> such we have been purchasing more and more windows nt/2000 systems for
> developers.
> 
> Currently I have a single NT 4.0 server on the network operating as a PDC.
> It handles logons and auth requests from the windows nt/2000 systems and
> authenticates the samba shares for the unix systems, that is all it does. It
> does not provide any file serving (users profiles and home directories are
> served off of Linux w/ samba 2.0.7), or anything else. I am trying to
> convince The-Powers-That-Be (read: old novell admin) that we could ditch the
> NT server completely on the development side and just use a samba PDC. Since
> we have to have both NT 4.0 and 2000 pro a 2.2 version of samba would be
> necessary. Even though I see many advantages to this in manageability the
> major question I have to answer is: will this in some way allow us to get
> rid of our "dual account" setup? Right now, the users have an NT account and
> a separate Unix account with the same username but with different passwords
> (could be the same but they are not synced).
> 
> I have seen a few suggestions for this but none of them are very
> satisfactory for me. I don't want to use pam_smb or winbind as my
> infrastructure is unix and I would hate to have to manage everything through
> the windows end of things. Besides, IRIX (still our main development
> platform) does not support PAM. I see LDAP as an ideal solution for this,
> but that would mean I would completely have to redo my password system and
> things would slow down since all the account information would be on the
> network instead of the local machine. I am also not so crazy about the
> single point of failure that an ldap server would introduce. The ideal
> solution for me would be to have samba just use pam directly itself and
> check against the local password file on whatever system it is on. I see
> that there seem to be PAM hooks in samba (at least there are config options)
> but I can't seem to find any info on them in any documentation.
> 
> Is this all in track with what people on this list have experienced? Is
> there *any* way to do this besides using pam_smb or something like it? How
> have others solved this problem? And finally, is the LDAP support in 2.2
> close to being ready for prime time? The nicest solution would allow people
> to change password both on unix and windows and have it propagate to the
> other side. However, f I need to set up some kind of a password change
> system, such as a password change web page, with a special script at the
> backend, then I can.
> 
>         Any answers to the above questions would be greatly appreciated,
> 
>                         Thank you for your time,
> 

Having a unix PDC is fine. However, remember that PDC capability for NT is
still considered beta, and for w2k it is still very much alpha. However, do
you actually need network logons?

The problem of having a smbpasswd file AND a unix
password file is much less of an issue in practice than you think it will
be before you go do it.

Eddie.