At 07:23 AM 11/24/2002 -0600, you wrote: >On Sat, 2002-11-23 at 14:27, Dustin Puryear wrote: > > Samba comes with Winbind, which allows you to integrate any PAM-based UNIX > > system into a NT domain environment. You could also run a Samba PDC which > > relies on a LDAP directory that is in turn used to authenticate both UNIX > > and Windows users. I like Samba as a PDC, but you need to be careful when > > setting it up. There isn't native BDC support, so you have to mimic it > with > > a homebrew solution. And no, there is no production code to integrate > Samba > > into an AD environment at this time. But as 99% of AD environments are > > actually running in mixed-mode this is a non-issue so far. You can still > > fall-back on NT domain functionality in Samba. > >I do like the idea of using Samba as a PDC. I might have to look into >this some more. I am guessing that I can tie Samba into my existing >NIS+? What about encrypted passwords? At one time I remember having to >use Samba with plain text passwords. Have they fixed that? I haven't >really done a lot of work with Samba in the last two years.
You have to use Samba with plaintext if you are using NT4 pre-SP3 I believe or with Windows 95. Otherwise, you are fine. As far as using NIS+ with Samba and encrypted passwords.. you are not going to be able to use crypt()- or whatever method you are using style passwords with Samba because that isn't what Windows uses. Each uses their own native format. If you want to use NIS+ then you need to push your passwords down to both Samba and NIS+ in plaintext and have each one encrypt them on their end. This can be very secure. I'm not saying to let the plaintext passwords sit in a file somewhere. Whenever a user changes a password just push the change to both NIS+ and Samba. I wonder if you can't do this with PAM? Alternatively, you could have an LDAP directory that is the ultimate source of user information, and that then gets pushed down to NIS+ and Samba. Can NIS+ use LDAP directly? If so, then tie NIS+ and Samba (Samba can use LDAP) to the directory. Each user LDAP entry would then have fields like nis_password and smb_password. This sounds like the way to go actually. > > There are a few options out there. > > > > Do you have a budget for this? > >Sure - within reason. There are commercial products out there for stuff along these lines. You might want to dig around. --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
