UNIX -> WinNT Username/Password Synchronization Revisited!

Paul Warren P.Warren at its.unimelb.EDU.AU
Tue Feb 10 03:00:27 GMT 1998 

Hello all!

Brief Scenario:

We use a home grown  "Accounts Registration Server" (ARS) to create, track,
modify and delete required accounts (via a secure TCP connection) on
various host computers (currently only OpenVMS and Digital UNIX servers).

We currently use a DUNIX box as the primary student POP3 mailserver (which
also runs SAMBA). Account registrations (approx 30,000) are achieved using
ARS; in turn the smbpasswd file is also updated (to facilitate password
synchronization and seamless SMB connectivity).

Now, what we would like to do is pipe this account information from the
UNIX box over to a WinNT PDC (in real-time)! We have looked into using the
"pwload" utility to upload the usernames and encrypted passwords directly
from the smbpasswd file into the WinNT Registry. But this is more of a
batch process, which really isn't a nice solution. 

We have also looked into the possibility of capturing the clear text
username and password changes and writing them to a file, then using the MS
Resource Kit "addusers.exe" utility to reflect these changes in the WinNT
SAM. Alternatively, this file could be accessed via an SMB share on the
SAMBA server, and the "net user" command (called by the AT scheduler) used
on the WinNT box to modify the SAM. Once again, these method's are more of
a batch process.

Questions:

Is there an elegant way to achieve our goal? Does anyone know of any RPC
solutions for getting a UNIX server to reflect user account changes on an
WinNT PDC? 

Is there an equivalent "net" command program for (Digital) UNIX (which
could easily be called whenever an account is added, modified or deleted)?
I am aware that Digital UNIX v4.0D ships with "Advanced Server for Digital
UNIX" (ASDU), which actually offers this functionality, but we are yet to
see our copy! Are there any other similar products out there...???

All advise much appreciated! (NB: We do not want to implement NIS or NIS+,
so GINA and NISGINA are not viable solutions. As we are located in
Australia, we cannot use Kerbnet (due to the lunacy of US export laws)!
Also, we are exceedingly hesitant to allow WinNT to validate UNIX logons
using PAM. And as we need a solution before the start of first semester
(March 1998), we cannot wait for the SAMBA PDC functionality or the promise
of WinNT v5.0 supporting Kerberos authentication!)

Regards,


Paul.
_________________________________________________________________________

Paul Warren - Systems Support Analyst  |  http://www.its.unimelb.edu.au/
ITS Department, Shared Systems         |  Email: paulw at its.unimelb.EDU.AU
The University of Melbourne            |  Phone: 61(3) 9344 4136
Parkville, VIC 3052, Australia         |  Fax:   61(3) 9347 4803
_________________________________________________________________________
Pessimist: Someone who complains about the noise when opportunity knocks!

More information about the samba mailing list