[Samba] Can Samba3 server be a BDC to NT4 PDC yet?
Olga Posnyak
oxp at austclear.com.au
Wed May 7 06:30:32 GMT 2003
Hi all,
In short my question is:
Is it possible/viable to make Samba 3 server running on Solaris 8 a BDC
to an Win2000 or NT4 PDC with the only purpose to automatically update
/etc/passwd and /etc/shadow information when the user password is
changed. Updating group memberships would also be nice but not necessary.
The long question is:
Below I am describing a set of problems we are facing. I will be
grateful to anyone who finds the time to read this long question and
even more grateful if anybody shares their opinion. If I get enough
response I will summarize and send it back to the list.
Thanks to all,
Olga Posnyak
Australian Clearing Services
The current setup:
We have a number of Unix (Solaris8) machines. Some of the machines are
running instances of a financial application accessed via telnet, and
some are (and have been historically) running Samba for Windows file
Sharing.
An application is a Progress database with a wide range of reports
(mainly csv files or plain text files) started from the
application(solaris). The resulting files are written into directories
“shared” by Samba. The files are then accessed by users from their
Windows workstations.Some files are transferred to outside companies
using third party PC based software. Then there files that are created
using Windows applications and then loaded into Unix application as well.
There is also a big chunk of files that are MS Excel/Word files accessed
only from Windows. These files also live on “Samba shared” disk. Access
to files has been traditionally controlled using Unix (Solaris) means.
I.e. group memberships and lately ACLs. Access to a large number of
files is strictly limited, as they are files containing banking
information. Access from windows is also controlled using Samba “hosts
allow” settings in smb.comf.
There are NT domain controllers for NT authentication Unix/NT logons are
kept in sync manually. NT groups a almost not used (only a few groups
for setting up restrictions for user profiles). Samba is using NT domain
controllers for authentication. Passwords on Unix and NT are the same.
This is also kept in sync manually. A subset of users are external users
(clients). They only access systems via telnet, access to files is also
strictly limited. This subset of users do not users Windows based access
to files.
Requirements:
One place to manage user accounts be it NT or Unix. One place to manage
user groups. And very importantly password synchronization between NT
and Unix.
One way to go which will require the least changes is making Samba a PDC
and print server (NT domain controllers are currently used as print
servers for Windows printing). However, no active directory and can’t do
Ms Exchange makes this option not attractive at all to the management.
Second way is to use winbindd on all Unix boxes and use Windows2000
authentication for all Solaris servers access. From what I’ve read so
far I understand that would be a viable option. However if we move all
authentication and file access control to Windows2000 it will require to
authenticate external users via Windows2000 as well. Some (in fact most)
groups that are used consist from both internal and external users.m
It will also require changing file user and group ownerships on a very
large number of files (cannot be done durin working hours either). And
as I understand we cannot really tell winbindd to use a certain group id
or user id, it will just pick one from the range of the ones given to
her randomly?
Third way I am thinking about is to make Samba BDC to an Win2000 PDC
running in a NT4 compatible mode with an only purpose to automatically
update /etc/passwd and /etc/shadow information at least when the user
password is changed. Updating group memberships would also be nice.
However I do not know if it is possible?
Thanks to anyone who read that far. Also big thanks to anyone who can
point me in the right direction.
Olga Posnyak
Australian Clearing Services
oxp at austclear.com.au
More information about the samba
mailing list