Re: [CentOS] User accounts management for small office
- Original Message - From: Jeff Boyce jbo...@meridianenv.com To: centos@centos.org Sent: Thursday, April 21, 2011 11:39 AM Subject: User accounts management for small office Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and reading lots of information about account management to try and understand what is available, and what would be the best fit for my network size. Much of what I have read is related to larger networks or larger user bases, which seem to have a lot of extraneous stuff that would be unnecessary in my small user environment. I looked into OpenLDAP, and have recently been reading about Samba/Winbind. But after encountering the following statement in the Samba documentation, I am still lost about what I could, or should, be using. A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain. By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest. My only goal is to be able to allow my users to change their Windows password at their workstation and have it perpetuate through the system so that it also changes their Linux User and Samba User account passwords. I don't expect to ever have more than a dozen users, so I want something that fits our size network and is simple to administer. I am not looking for a how-to to set something up, but some opinions about what I should consider using, and why it would be a good fit to achieve my goal. I can do the additional research to understand configuration once I know what I should be researching. Thanks. Please cc me directly, as I only get the list in daily digest mode. Jeff Boyce Meridian Environmental Thanks to everyone that replied, you have helped me understand what direction I should be going (or staying away from). Here are the highlights and my comments to some of the suggestions that were provided, since I can't respond to every thread from the digest. The opinions both for and against OpenLDAP have made me take a little closer look at it, but my conclusion is that it is more cumbersome than what I really want to handle right now for the size of the network. I have looked closer at Samba/Wins/Winbind, etc. and it looks like the main source of my current problem is that my Samba network is setup now as a Workgroup and not as a Domain. I didn't understand that difference when I ran across the quote I included above. It looks like if I change to a Domain and configure it properly with Wins/Winbind that I should be able to have the single point password changing option occur from the Windows desktop. I am now re-reading sections of my copy of the Definitive Guide to Samba 3 which should help me (although it was published before Vista and 7, which all my workstations are now). Also thanks to some for the suggestions of using ClearOS or Webmin. I do have Webmin installed and use it for some of my administrative functions. So if I do try playing around with OpenLDAP I will certainly see if it will reduce my learning curve on getting it setup properly. With the new gateway box that I mentioned above, I have been planning on installing ClearOS on it, so I will take a look at how it might be used to learn about using LDAP. Although I was thinking to have this box function more strictly as a gateway than providing services to the internal lan. Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
Salt below appropriately to the fact that I have only looked at using these, I have not yet done the implementation I want to do. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeff Boyce Sent: Wednesday, April 27, 2011 14:54 To: centos@centos.org Subject: Re: [CentOS] User accounts management for small office The opinions both for and against OpenLDAP have made me take a little closer look at it, but my conclusion is that it is more cumbersome than what I really want to handle right now for the size of the network. I have looked closer at Samba/Wins/Winbind, etc. In the LDAP arena 398 [2] looks to me like it should ease a) the mysteries of configuring LDAP, and b) integrate with AD. 389 is in EPEL. and it looks like the main source of my current problem is that my Samba network is setup now as a Workgroup and not as a Domain. I didn't understand that difference when I ran across the quote I included above. It looks like if I change to a Domain and configure it properly with Wins/Winbind that I should be able to have the single point password changing option occur from the Windows desktop. I am now re-reading sections of my copy of the Definitive Guide to Samba 3 which should help me (although it was published before Vista and 7, which all my workstations are now). You may also want to look at the samba Franky[1] which could get you enough of samba4 to (from what I understood and want it for) become the full PDC for the windows system, but it is as the name suggests a monster. [1] https://wiki.samba.org/index.php/Franky https://wiki.samba.org/index.php/Main_Page#Franky https://wiki.samba.org/index.php/Combined_build_issues [2] http://directory.fedoraproject.org/ In any case, when you get something working, I would like to see the success story here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] User accounts management for small office
Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and reading lots of information about account management to try and understand what is available, and what would be the best fit for my network size. Much of what I have read is related to larger networks or larger user bases, which seem to have a lot of extraneous stuff that would be unnecessary in my small user environment. I looked into OpenLDAP, and have recently been reading about Samba/Winbind. But after encountering the following statement in the Samba documentation, I am still lost about what I could, or should, be using. A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain. By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest. My only goal is to be able to allow my users to change their Windows password at their workstation and have it perpetuate through the system so that it also changes their Linux User and Samba User account passwords. I don't expect to ever have more than a dozen users, so I want something that fits our size network and is simple to administer. I am not looking for a how-to to set something up, but some opinions about what I should consider using, and why it would be a good fit to achieve my goal. I can do the additional research to understand configuration once I know what I should be researching. Thanks. Please cc me directly, as I only get the list in daily digest mode. Jeff Boyce Meridian Environmental ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
Jeff Boyce wrote: Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. snip The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and snip You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching. However, I did put it in in '06 for what wound up to be about 14 or 15 folks, and it worked, and they could change passwords themselves. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On Apr 21, 2011, at 11:51 AM, m.r...@5-cent.us wrote: Jeff Boyce wrote: Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. snip The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and snip You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching. Yes, agreed OpenLDAP is my suggestion as well. As for Windows clients, you can either do; Samba/LDAP tie in so that your LDAP domain also function as a PDC. Or you can use pGina which is a Windows LDAP plugin that allows your Windows clients to auth direct to LDAP w/o the need to join a PDC first. I prefer pGina but its not for every one. - aurf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On Thu, Apr 21, 2011 at 02:51:35PM -0400, m.r...@5-cent.us wrote: Jeff Boyce wrote: Greetings - installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and snip You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching. I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration. http://home.roadrunner.com/~computertaijutsu/ldap.html -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Cordelia: I do what I want to do. And I wear what I want to wear. And you know what, I'll date whoever the hell I want to date... no matter how lame he is. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On 4/21/2011 1:39 PM, Jeff Boyce wrote: Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On Apr 21, 2011, at 12:09 PM, Scott Robbins wrote: I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration. http://home.roadrunner.com/~computertaijutsu/ldap.html Nice link, thanks for that. Wished I would have known about it all those moons ago. I would also advice subing to the openldap mailing lists but keep in mind its HEAVILY moderated so be mindful of your posts regarding topic. They will deny the post if they feel its for another ldap list. A very very anal list indeed. Also for the Samba bit, you can look here as it helped me; http://pbraun.nethence.com/doc/net/samba-ldap.html - aurf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
Scott Robbins wrote: snip I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration. http://home.roadrunner.com/~computertaijutsu/ldap.html And after a *very* brief glance, I've bookmarked it for future reference, since it has things like *examples* of what needs doing, and how to get there Thanks, Scott. Cordelia: I do what I want to do. And I wear what I want to wear. And you know what, I'll date whoever the hell I want to date... no matter how lame he is. Vorkosigan? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
Les Mikesell wrote: On 4/21/2011 1:39 PM, Jeff Boyce wrote: Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them. Actually, I found webmin helpful in setting up and testing openldap. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On 4/21/2011 2:24 PM, m.r...@5-cent.us wrote: Les Mikesell wrote: On 4/21/2011 1:39 PM, Jeff Boyce wrote: Greetings - This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it. I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed. Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them. Actually, I found webmin helpful in setting up and testing openldap. Webmin is a very different concept. It is a mostly a web-form editor for the underlying program's config file that may know enough to keep you from making/saving the kinds of syntax errors that you can make with a normal text editor, but you still have to know what program to start for each service, know the relationships between programs, and make separate changes to each program, knowing what all of the options do. ClearOS and the similar/earlier SME server are much more task/service oriented with preconfigured settings to make the common services you want come up and forms that relate to what you want to do rather than having to deal with options in several different different underlying programs. So even though it is running the same samba and openldap as a Centos install, you don't need to change anything to make them work together. And some things that are conceptually even harder, like optionally enabling openvpn per user and generating client certificates are checkbox/push button items. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
I'd say base it on OpenLDAP. As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf: http://freshmeat.net/projects/cgipaf/ Although you already have to provide your old password to do an update, putting it behind http-basic authentication will allow you to use things like fail2ban to protect against brute forcing. Devin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
--On Thursday, April 21, 2011 01:49:16 PM -0600 Devin Reade g...@gno.org wrote: As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf: http://freshmeat.net/projects/cgipaf/ Sorry, brain fart. Yes, cgipaf will allow you to change samba passwords at the same time, but it's been a few years since I needed to support samba and so I don't have a *current* assessment of it. (I currently use a functionally similar cgi program that updates LDAP via PAM instead, but knows nothing about samba.) Devin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] User accounts management for small office
On Thu, Apr 21, 2011 at 03:23:20PM -0400, m.r...@5-cent.us wrote: Scott Robbins wrote: snip http://home.roadrunner.com/~computertaijutsu/ldap.html And after a *very* brief glance, I've bookmarked it for future reference, since it has things like *examples* of what needs doing, and how to get there Yeah, I learned about that example stuff from using FreeBSD. :) Most of their man pages have it. Seriously, after literally months of trying to figure it out, I wrote the page that I wished I'd had when I was trying to get it done . Thanks, Scott. Cordelia: I do what I want to do. And I wear what I want to wear. And you know what, I'll date whoever the hell I want to date... no matter how lame he is. From my Buffy the Vampire quote generator, made when I had even less of a life. :) http://home.roadrunner.com/~computertaijutsu/buffquote.html It was actually made into an ArchLinux package by a Buffy fan. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Spike: You're not friends. You'll never be friends. You'll be in love 'til it kills you both. You'll fight, and you'll shag, and you'll hate each other 'til it makes you quiver, but you'll never be friends. Real love isn't brains, children. It's blood. It's blood screaming inside you to work its will. I may be love's bitch, but at least I'm man enough to admit it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos