[Samba] Samba as a password server for Win NT/2k

[Buchan Milne]

> Message: 20
> Date: Sun, 03 Feb 2002 23:35:28 +0100
> From: =?iso-8859-1?Q?Lo=EFc?= B. <lbcom at ifrance.com>
> To: samba at lists.samba.org
> Subject: [Samba] Samba as a password server for Win NT/2k
> 
> Hi,
> 
> I am a member of a students association in my school, and we have 3
> computers under Windows (1 running Win2k and 2 running WinNT).
> The members of the association, including myself, are sick and tired of
> having to manually change their password on each machine individually,
> every time this is required (that is, at least once a month).
> 
> I also have a linux box in the network. It is used as a gateway,
> firewall, and mail+web server.
> I'd like to have it act as a Windows server, so that I could set up the
> workstations to authenticate to the linux box, as if it was a WinNT/2k
> server. I read on the internet that this was possible. My final goal is
> that, when some user logs in on any machine and changes his password,
> the users database is updated on the server and the user can log in on
> any other machine using the new password.
> 
> I also need the mail (i.e. linux) password and the Windows (i.e. samba)
> password to be different, but the usernames should be the same (on linux
> and windows). If I understood well, this is possible using the smbpasswd
> file. I'd like to make sure of it.


There is no reason to do this, really. It makes it more difficult to 
change the unix (mail) password, and doesn't achieve much. If you want 
to prevent windows passwords being sniffed during email, it would be 
better to just ssl your mail server.

If you don't do anything, you will get the setup you want, ie different 
passwords for samba and traditional unix services. If you want to use 
the same password, see pam_smb and auth_smb (squid authentication). Both 
can be found on freshmeat.


> 
> But here comes my biggest problem : in the samba doc and howto, I came
> accross two security settings that puzzle me.
> I can't see whether I should use security = server or security = domain,
> and how I should configure the whole thing. The doc says that in these
> two modes, the password is passed to another box for authentication (a
> WinNT/2k box). This annoys me because I have no WinNT/2k server, and I'd
> like the samba server to do the job on his own. As English is far from
> behing my mother language, I must have misunderstood something. The
> question is : what ?
> 


You need at least:

security = user
(that means samba uses it's smbpasswd file to authenticate users)
domain logons = yes
(causes samba to be a logon server)
encrypt passwords = yes
(windows won't do domain logons with clear-text passwords).

I think that should be it. You will need to enable a netlogon share, yuo 
will probably want to make a profiles share, you might want to set login 
scripts.

For each user you want to be able to login to the domain, you need to 
create a unix user account, and then run (as root):

# smbpasswd -a <user>


> Has anyone already configured such a network ? Could you please give me
> a few hints in easy-to-understand English about how to set up the whole
> thing the way I want to ?


We run about 50 Windows NT/ Windows 2000 clients in a samba-2.2.2 domain 
(shortly to be samba-2.2.3).

You might want to take a quick look at 
http://mandrakeuser.org/connect/csamba6.html (some hints on joining 
machines to the domain), where there is a bit more documentation on 
running a domain controller. The samba-howto-collection  (in the docs 
dir of the samba distribution) is also a good reference, if you haven't 
tried it yet.


Buchan


-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work       +27 82 472 2231 * +27 21 808 2497 ext 202
Stellenbosch Automotive Engineering         http://www.cae.co.za