[Samba] Replacing a W2K Server?

Michael Urban urban at panix.com
Thu Apr 21 21:59:13 GMT 2005

We have a Windows 2000 server with Terminal Services.  It is an Active
Directory master server for a microscopic network comprising itself and
one Windows 2000 Workstation client.  It is part of a network
consisting of Unix machines: several Solaris 8 systems, a handful of
Linux boxes, and a Mac OS X workstation.  User authentication and other
login information on this network is provided by NIS running on Solaris
- but see below.  Some of the Unix boxes are running Samba 3 to share
files to Windows workstations.

The services the W2K server provides are: file sharing to Windows
workstations (these live in a different Active Directory domain);
Windows applications for Unix users via Terminal Services and rdesktop;
and authentication for the Samba servers.  User NIS password changes
are reflected from the Unix systems to W2K using Microsoft's services
for Unix (in particular, MS provides a PAM module that sends password
changes to the W2K server), so using W2K for authentication allows
users to use their NIS passwords when connecting to Samba, rather than
some Samba-only password.

Our goal in life is to get rid of the W2K system.  We don't want to be
in the business of W2K server sysadmin, and the box running it is old
and takes up a lot of space and energy.  This would mean moving its
files to a new Samba server.

Is there a straightforward way to get the new server, as well as the
existing ones, to authenticate in such a way that its passwords
can be identical with the NIS/Unix passwords?  Does this require
some kind of Kerberos/LDAP infrastructure we do not now use?  How
would this be set up.  I have read several documents, but it seems to
me that:

1. Samba can authenticate with PAM, but this uses cleartext passwords.
2. Samba can authenticate from its own LDAP or file password database,
 but there is no obvious way to keep this synchronized with Unix passwords.
3. We could set up a Kerberos system, but I do not see any way of 
 making Samba refer to Kerberos for password authentication.

Any suggestions, please?

More information about the samba mailing list