[Samba] Replacing a W2K Server?

Gémes Géza geza at kzsdabas.sulinet.hu
Thu Apr 21 23:11:52 GMT 2005

Michael Urban írta:

>We have a Windows 2000 server with Terminal Services.  It is an Active
>Directory master server for a microscopic network comprising itself and
>one Windows 2000 Workstation client.  It is part of a network
>consisting of Unix machines: several Solaris 8 systems, a handful of
>Linux boxes, and a Mac OS X workstation.  User authentication and other
>login information on this network is provided by NIS running on Solaris
>- but see below.  Some of the Unix boxes are running Samba 3 to share
>files to Windows workstations.
>The services the W2K server provides are: file sharing to Windows
>workstations (these live in a different Active Directory domain);
>Windows applications for Unix users via Terminal Services and rdesktop;
>and authentication for the Samba servers.  User NIS password changes
>are reflected from the Unix systems to W2K using Microsoft's services
>for Unix (in particular, MS provides a PAM module that sends password
>changes to the W2K server), so using W2K for authentication allows
>users to use their NIS passwords when connecting to Samba, rather than
>some Samba-only password.
>Our goal in life is to get rid of the W2K system.  We don't want to be
>in the business of W2K server sysadmin, and the box running it is old
>and takes up a lot of space and energy.  This would mean moving its
>files to a new Samba server.
>Is there a straightforward way to get the new server, as well as the
>existing ones, to authenticate in such a way that its passwords
>can be identical with the NIS/Unix passwords?  Does this require
>some kind of Kerberos/LDAP infrastructure we do not now use?  How
>would this be set up.  I have read several documents, but it seems to
>me that:
>1. Samba can authenticate with PAM, but this uses cleartext passwords.
>2. Samba can authenticate from its own LDAP or file password database,
> but there is no obvious way to keep this synchronized with Unix passwords.
>3. We could set up a Kerberos system, but I do not see any way of 
> making Samba refer to Kerberos for password authentication.
>Any suggestions, please?
I recomend
as a good starting point for understanding the Samba+OpenLDAP+Heimdal 
It is true that Samba can't be a Kerberos enabled AD yet, but your *nix 
machines should be happy with Heimdal+OpenLDAP instead of the quite 
outdated an insecure NIS (just my 2c)



More information about the samba mailing list