A question about Auth Backends

[Doug Marcey]

See comments throughout.

> -----Original Message-----
> From: eirvine [mailto:eirvine at tpgi.com.au]
> Sent: Tuesday, March 27, 2001 11:55 PM
> To: Doug Marcey
> Cc: samba-ntdom at us5.samba.org
> Subject: Re: A question about Auth Backends
>
>
> Hi Doug,

Hey,

>
> Doug Marcey wrote:
> >
> > I have a question or two (six?) here. First let me describe my
> situation.
> >
> > I work at a company that has been developing software for Irix for quite
> > some time. As a result our entire company infrastructure is built around
> > Unix machines. Right now we have linux for almost all of our
> network serving
> > needs. Our web, mail, firewall, file, cvs and everything are
> served off of
> > either linux, or openbsd. The only exception is a novell 3.20
> server that
> > the administrative side of the company uses (and has been using
> for 6 or 7
> > years now).
> >
> > Recently (last two years) we have been developing a cross
> platform version
> > of our software that uses a java gui and c++ backend to provide the same
> > look and feel across irix, solaris, linux, hp/ux, windows
> 9x/ME/NT/2000, and
> > vxworks. Windows has become a very popular platform for the
> software and as
> > such we have been purchasing more and more windows nt/2000 systems for
> > developers.
> >
> > Currently I have a single NT 4.0 server on the network
> operating as a PDC.
> > It handles logons and auth requests from the windows nt/2000 systems and
> > authenticates the samba shares for the unix systems, that is
> all it does. It
> > does not provide any file serving (users profiles and home
> directories are
> > served off of Linux w/ samba 2.0.7), or anything else. I am trying to
> > convince The-Powers-That-Be (read: old novell admin) that we
> could ditch the
> > NT server completely on the development side and just use a
> samba PDC. Since
> > we have to have both NT 4.0 and 2000 pro a 2.2 version of samba would be
> > necessary. Even though I see many advantages to this in
> manageability the
> > major question I have to answer is: will this in some way allow
> us to get
> > rid of our "dual account" setup? Right now, the users have an
> NT account and
> > a separate Unix account with the same username but with
> different passwords
> > (could be the same but they are not synced).
> >
> > I have seen a few suggestions for this but none of them are very
> > satisfactory for me. I don't want to use pam_smb or winbind as my
> > infrastructure is unix and I would hate to have to manage
> everything through
> > the windows end of things. Besides, IRIX (still our main development
> > platform) does not support PAM. I see LDAP as an ideal solution
> for this,
> > but that would mean I would completely have to redo my password
> system and
> > things would slow down since all the account information would be on the
> > network instead of the local machine. I am also not so crazy about the
> > single point of failure that an ldap server would introduce. The ideal
> > solution for me would be to have samba just use pam directly itself and
> > check against the local password file on whatever system it is on. I see
> > that there seem to be PAM hooks in samba (at least there are
> config options)
> > but I can't seem to find any info on them in any documentation.
> >
> > Is this all in track with what people on this list have experienced? Is
> > there *any* way to do this besides using pam_smb or something
> like it? How
> > have others solved this problem? And finally, is the LDAP support in 2.2
> > close to being ready for prime time? The nicest solution would
> allow people
> > to change password both on unix and windows and have it propagate to the
> > other side. However, f I need to set up some kind of a password change
> > system, such as a password change web page, with a special script at the
> > backend, then I can.
> >
> >         Any answers to the above questions would be greatly appreciated,
> >
> >                         Thank you for your time,
> >
>
> Having a unix PDC is fine. However, remember that PDC capability for NT is
> still considered beta, and for w2k it is still very much alpha.

I would very much like to get rid of the NT Server for this purpose (PDC).
Is samba at all prime time ready for this purpose? Is anyone using it in a
small-mid sized environment (30-40 NT/2000 Clients, 20-30 Win98 Clients,
40-50 Samba Clients)? How does it work? Our NT server is not a paragon of
responsivness in this environment, but I don't want an unstable system
preventing people from logging on.

> However, do
> you actually need network logons?

Unfortunatly yes. Since not all of our systems are for just one user. Quite
often a developer will need to log into someone else's machine to test a
different graphics card, and we also have several lab NT/2000 workstations
for people to run test programs and compiles on. I need the ability to have
a user login to any machine on the domain and have the same profile, as well
as logon scripts for mounting drives and policies to controll the caching of
profiles and other such registry settings. If there is a way to accomplish
all this without network logons, please let me know!!!

> The problem of having a smbpasswd file AND a unix
> password file is much less of an issue in practice than you think it will
> be before you go do it.

There is no issue keeping the unix side synced if they change it from samba.
However the other direction with a person changing their password from unix,
which happens more often than people changing from NT since most of the
people here are primarily unix people. I suppose I can write a script that
basically does the same thing samba does where is runs smbpasswd for the
person and fills in the password, but this is a less than ideal solution. I
will play with this and let people know what I can come up with. Is anyone
else doing this?

One other question I had was: if NT and Unix send the encrypted passwords
differently then how can samba use and LDAP backend for storing that
information? Doesn't LDAP use the standard crypt(3) to store passwords? How
does samba use that to validate and NT logon? Just curious.

 			--Doug