[Samba] Can Samba3 server be a BDC to NT4 PDC yet?

Olga Posnyak oxp at austclear.com.au
Wed May 7 06:30:32 GMT 2003

Hi all,

In short my question is:

Is it possible/viable to make Samba 3 server running on Solaris 8 a BDC 
to an Win2000 or NT4 PDC  with the only purpose to automatically update 
/etc/passwd and /etc/shadow information when the user password is 
changed. Updating group memberships would also be nice but not necessary.

The long question is:

Below I am describing a set of problems we are facing. I will be 
grateful to anyone who finds the time to read this long question and 
even more grateful if anybody shares their opinion. If I get enough 
response I will summarize and send it back to the list.

Thanks to all,
Olga Posnyak
Australian Clearing Services

The current setup:

We have a number of Unix (Solaris8) machines. Some of the machines are 
running instances of a financial application accessed via telnet, and 
some are (and have been historically) running Samba for Windows file 

An application is a Progress database with a wide range of reports 
(mainly csv  files or plain text files) started from the 
application(solaris). The resulting files are written into directories 
“shared” by Samba. The files are then accessed by users from their 
Windows workstations.Some files are transferred to outside companies 
using third party PC based software. Then there files that are created 
using Windows applications and then loaded into Unix application as well.

There is also a big chunk of files that are MS Excel/Word files accessed 
only from Windows. These files also live on “Samba shared” disk. Access 
to files has been traditionally controlled using Unix (Solaris) means. 
I.e. group memberships and lately ACLs. Access to a large number of 
files is strictly limited, as they are files containing banking 
information. Access from windows is also controlled using Samba “hosts 
allow” settings in smb.comf.

There are NT domain controllers for NT authentication Unix/NT logons are 
kept in sync manually. NT groups a almost not used (only a few groups 
for setting up restrictions for user profiles). Samba is using NT domain 
controllers for authentication. Passwords on Unix and NT are the same. 
This is also kept in sync manually. A subset of users are external users 
(clients). They only access systems via telnet, access to files is also 
strictly limited. This subset of users do not users Windows based access 
to files.

One place to manage user accounts be it NT or Unix. One place to manage 
user groups. And very importantly password synchronization between NT 
and Unix.

One way to go which will require the least changes is making Samba a PDC 
and print server (NT domain controllers are currently used as print 
servers for Windows printing). However, no active directory and can’t do 
Ms Exchange makes this option not attractive at all to the management.

Second way is to use winbindd on all Unix boxes and use Windows2000 
authentication for all Solaris servers access.  From what I’ve read so 
far I understand that would be a viable option. However if we move all 
authentication and file access control to Windows2000 it will require to 
authenticate external users via Windows2000 as well. Some (in fact most) 
  groups that are used consist from both internal and external users.m 
It will also require changing file user and group  ownerships on a very 
large number of files (cannot be done durin working hours either). And 
as I understand we cannot really tell winbindd to use a certain group id 
  or user id, it will just pick one from the range of the ones given to 
her randomly?

Third way I am thinking about is to make Samba BDC to an Win2000 PDC 
running in a NT4 compatible mode with an only purpose to automatically 
update /etc/passwd and /etc/shadow information at least when the user 
password is changed. Updating group memberships would also be nice. 
However I do not know if it is possible?

Thanks to anyone who read that far. Also big thanks to anyone who can 
point me in the right direction.

Olga Posnyak
Australian Clearing Services
oxp at austclear.com.au

More information about the samba mailing list