[Samba] domain logons - help

Bradley W. Langhorst brad at langhorst.com
Thu Aug 8 06:04:02 GMT 2002 

I think you need to learn some sysadmin tricks....
at the minimum 
put something like vnc on the clients so you don't have to walk around
(don't let vnc past the firewall)
or better - standardize your clients with an imaging tool like ghost
or system imager so you can make any changes and just roll them out.
(your users will then heed your admonision to keep everything on the
server so backups can be centralized too)

don't use plain text passwords anywhere it is just BAD practice
Even on the unix box you should be using shadow passwords with md5
hashing.  You don't want to see those passwords ever.

if you have to spend a weekend fixing stuff i think it is worth it.
I don't think you can get domain logons working without encrypted
passwords unless you are prepared to do some source hacking.

brad

On Thu, 2002-08-08 at 05:57, David Chandraratnam wrote:
> Trey, the reason i want Plain text passwords is
> 
> It is already installed, with plain text passwords and i cannot find the mksmbpasswd.sh anywhere
> 
> in order to do the 'cat /etc/passwd | mksmbpasswd.sh > /etc/smbpasswd '(the place i want the smbpasswd)
> I do not know if it is solaris thing, but as i am using 2.2.5 and there is no where on the web that says
> here is where you  get mksmbpasswd.sh . I am stymied.
> 
> If i could find this mksmbpasswd.sh thing it would probably be no trouble at all to get encrypted passwords to 
> work. Although, if there is a way to get domain logons with plain text passwords it would save me a lot of time and 
> a lot of work and most importantly I would not have to get weekend-supervised access to building to change
> the windows registry from enable plaintext passwd (1) to (0)
> 
> The other solution being give everyone, using the machines a account on the machines is not really appropriate
> as it will mean i will have to change the machine everytime they forget their password or the like (known to happen)
> or when a new person comes giving them access on all the machines (problem we have a high turnover of casual staff who use the machines and then their accounts have to be removed for security/privacy reasons.
> 
> Thus i would like to get the whole domain logons
> or just be able to do the passwd and smbpasswd command when it is required
> not move from machine to machine (24, greatly distributed) for every casual user
> i thought of have a huge amount of temp files , but the passwords would have to chnge for security of information reasons 
> 
> So the easiest solution would be to get me a mksmbpasswd.sh but this is not the case, after a few days look for it.
> so finally HELP!
> 
> Thanks
> 
> Dave
> 
> 
> On Wed, Aug 07, 2002 at 08:11:09AM -0500, Trey Nolen wrote:
> > To enable plaintext passwords under Windows 2000, go to Start -> Run and
> > type in regedt32. Under HKEY_LOCAL_MACHINE go to
> > \system\currentcontrolset\services\lanmanworkstation\parameters and change
> > the DWORD value of the enableplaintextpassword entry to 1.
> > 
> > Just curious....if you have Win98 and Win2000 only, why do you want
> > plaintext?
> > 
> > Trey Nolen
> > >
> > > On Wed, Aug 07, 2002 at 12:35:47PM +1000, David Chandraratnam wrote:
> > > > Hello
> > > >
> > > > I am running a windows 98 network with plain text passwords.
> > > > I currently have to install 20 windows 2k machines to the network , is
> > there a way to do this with plain text paswords , but still enable me to
> > have domain logons.
> > > >
> > > > as if i have to unenable plain text passwords on all the machines it
> > will take me forever (40 something machines)  and there is also an
> > additional problem of getting access to the buildings.
> > > >
> > > > smb.conf to follow
> > > >
> > > > [global]
> > > >
> > > > # workgroup = NT-Domain-Name or Workgroup-Name
> > > >    workgroup = CST
> > > >    netbios name = csta
> > > >    hosts allow = 129.78. 10.1.
> > > >    server string = "College"
> > > >    guest account = nobody
> > > >    security = user
> > > >    guest account = nobody
> > > >    security = user
> > > >    password level = 4
> > > >    browseable = yes
> > > >    wins support = yes
> > > >    ;wins server = 129.78.a.b
> > > >    ;wins proxy = yes
> > > >    dns proxy = yes
> > > >
> > > >    name resolve order = lmhosts host wins bcast
> > > >    os level = 65
> > > >    domain master = yes
> > > >    local master = yes
> > > >    preferred master = yes
> > > >    ;domain admin group = @root
> > > >    remote announce = 129.78.c.d
> > > >    remote browse sync = 129.78.a.b
> > > >
> > > >    preserve case = yes
> > > >    case sensitive = no
> > > >
> > > >    load printers = yes
> > > >    printing = sysv
> > > >
> > > >   load printers = yes
> > > >    printing = sysv
> > > >
> > > >    print command = /usr/local/samba/bin/smbprint %s
> > > >
> > > >    log file = /usr/local/samba/var/log.%m
> > > >
> > > >    max log size = 50
> > > >
> > > >    ; (Previously was) socket options = TCP_NODELAY
> > > >    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > > >
> > > >    domain logons = yes
> > > >    logon path = \\csta\profiles\%U\profile
> > > >    logon script = scripts\startup.bat
> > > >
> > > > #============================ Share Definitions
> > ==============================
> > > > [homes]
> > > >    comment = Home Directories
> > > >    path = /home/%U
> > > >    browseable = no
> > > >    read only = no
> > > >    writable = yes
> > > >
> > > >    read only = no
> > > >    writable = yes
> > > >    invalid users = root
> > > >
> > > > # Un-comment the following and create the netlogon directory for Domain
> > Logons
> > > > [netlogon]
> > > >    path = /usr/local/samba/netlogon
> > > >    guest ok = yes
> > > >    writelist = johnt
> > > >
> > > > [profiles]
> > > >    path =/home/profiles
> > > >    browseable = yes
> > > >    read only = no
> > > >    writable = yes
> > > >    nt acl support = no
> > > >
> > > > Thanks
> > > >
> > > > Dave Chandraratnam
> > > >
> > > > Being an executioner is really the only way to get a head in this life
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> > > --
> > > Dave Chandraratnam
> > >
> > > Being an executioner is really the only way to get a head in this life
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> 
> -- 
> Dave Chandraratnam
> 
> Being an executioner is really the only way to get a head in this life
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
>

More information about the samba mailing list