Admin of users from NT

[John Blair]

I'll take a stab at this question.  I'm curious what other people think
about these problems.

>1.  Three shares per machine is becomming too many to manage.  The users
>get confused as to which drive letter goes to which machine/share.  Is
>there a better way to define how the drives and shares are layed out, so
>its easier from a user perspective?

I'm not sure exactly what you mean.  I'm assuming that you have 6 drive
letters (say, G through M) mapped to the six shares, three on each Linux
machine.  Is the problem that users have trouble remembering which drive
letter is mapped to which share?  If that's the case, here's some possible
solutions:

1) If the programs they are using support them, use UNC names
(\\SERVERNAME\SHARENAME).  I find that sometimes these are easier for
people to remember than single driveletters.
2) You could change the 6 shares to 2 shares-- one on each Linux machine.
If access privileges are different for each share you can govern access
using UNIX privilages.  This would mean users only need to remember two
driveletters or sharenames.
3) You could encourage users to access the drives through the network
neighborhood or through shortcuts you add to all profiles.  I find that
most of my users have an easier time navigating the Network Neighborhood
than remembering driveletters or share names.  It also encourages an
understanding of what the network looks like, from a Windows perspective at
least.

>3.  Is there a way to manage the list of users that are on each machine,
>rather than modifying the Linux box directly?  Is it possible to have a
>common place to store the list of users that will be using the shares?  In
>other words, the user has to log into his local machine, then use the
>filemanage to connect to the share, and also specify the username that he
>will be connecting as.  It then prompts him for a passwd.
>
>How can I have the user simply log into the local NT box, and
>automagically be allowed to connect to the remote linux shares, and not
>have to specify a password?

One solution is to set "hosts allow" to only allow access by the IP
addresses used by your Windows NT machines, "security = server" and
"password server = %m".  This would cause passwords to be validated by
asking the connecting machine if the password is valid.  This is, obviously
a HUGE security risk and can only be used of you trust the connecting
machine to correctly authenticate users.  It only works if you completely
trust your users, you are on an isolated network, and/or only you (or other
trusted users) have the right to add users to the Windows NT machines.  It
is still not optimium security-- someone may be able to access your machine
remotely by spoofing an IP address.  Depending on your security needs, this
solution may be adequate, though.  You could then use "write list", "read
list" and/or UNIX file permissions to regulate specific types of access.

>I tried working with the netlogon scripts, but I could not get it working.
>Is this the proper method to define drive mappings when the user logs in?
>Would I be better off creating a login script for each user on the local
>machines, that defines which shares the user can connect to, and which
>drive it maps to?  Possibly someone could provide an example?

Do you mean the script specified by the "logon script" parameter?  Somebody
correct me if I'm wrong, but I thought that currenlty only worked with
Windows 95 clients.  You could manually specify a logon script in
everybody's profile, but since you are only using NT Workstation, you would
have to do this for every user on every machine.

>3.  Continuing with the last question, is it possible to have a central
>machine that contains all usernames?  It seems one user can log in to
>different machines in the office, so I must provide login IDs for each
>user at each of the 15 or so machines..  This is very time consuming, and
>passwords need to be changed at each station.  Is this the purpose of NT
>server?

This is indeed the purpose of an NT server.  Actually, if you have 15
machines running NT workstation, you should seriously consider running NT
server.  As much as I like using non M$ solutions when I can, this is a
case where you will probably save a lot of grief by running NT server.
This statement comes from experience.  You will be able manage accounts
centrally.  This will also solve the password problem in the last
question-- if you set the NT server to be the password server, your users
will be able to transparently connect to the Linux servers.

There is an effort to reverse engineer the protocol used to implement NT
distributed security.  Samba (or some other system) may some day allow you
to implement centralized security from a non-NT machine.  NT 5.0 promises
to allow Kerberos to be used as an authentication option.  If that actually
happens you can run the Kerberos principle database on your Linux machine
and handle all passwords from there.

>4.  Does anyone have any experience with Apache and samba?  It seems the
>users are having problems using Composer, and 'Publishing' the documents
>to the web server.  I don't have all the details at this point, but I
>hoped someone might know of a refernce to find more information on this
>topic..

Without any more info I can't help you, other to say that I am running both
Apache and Samba with no obvious problems.

g'luck,
 -john.


......................................................................
.                                                                    .
.....John.D.Blair...   mailto:jdblair at uab.edu   phoneto:205.975.7123 .
                   .   http://frodo.tucc.uab.edu  faxto:205.975.7129 .
 ..sys|net.admin....                                                 .
 .                     the university computer center            .....
 ..... g.e.e.k.n.i.k...the.university.of.alabama.at.birmingham....