It's not a matter or like or not, just rather not <G>. Yep, I've looked at it. It does what you say, but....
Unlike Novell/Windows saying your password is going to expire, the Linux/Samba side doesn't say anything. When the Novell/Windows password is changed, the next time the user tries to use Samba (first time clicking on the Samba drive letter for that Windows session), they are challenged with a logon prompt, in which they are not use to seeing. This doesn't give you a clue that your password needs to be changed. So that means lots of calls to the help desk. I think we enforce password changes every 90 days. And then they forget their password, which means the help desk needs to sign on via SWAT with an admin user to change their password. Only talking about 100 or so users. Right now, I'm tempted to go with a fixed, never expire password, that they have to give every new Windows session (normally after every boot), except that would go against our security policy. Any ramifications to that, comes back to me. The open systems person that set up all the PC security left for greener pastures. There is one or two people trying to grasp how the current stuff works. They are resistant to putting something new in the mix. Eventually, they will get over it, but right now, it is holding up this project. Tom Duerbusch THD Consulting >>> "Dean, David (I/S)" <[email protected]> 4/27/2011 10:55 AM >>> You won't like this, but,... in swat there is a password icon that we have our users access to change passwords whenever their Windows pw changes. It's easy enough for end users. I "believe" you can even configure this so the end user sees only the password icon, but not sure. -----Original Message----- From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Tom Duerbusch Sent: Wednesday, April 27, 2011 11:13 AM To: [email protected] Subject: Samba Authorization another question Of all my samba servers, this is the first attempt at being something that end users would directly interface with, just like they do with our Novell file servers. I've tried to force myself to use SWAT, but until I get everything working from the command line, SWAT is just going to have to wait. I'm not a Windows or PC security type, in any way, shape, or form, and that, I think, is my problem.... What I would really like to do, is if a Windows user tries to access a Samba share, and the username and the share name, match, you are good to go. If the Windows user doesn't match the share, reject. Right now, I can do this, if I maintain the SMBPASSWD file. If I put their current windows password in there, no problem. However, 1. I won't know the end users current password. 2. We force password changes and I won't know their new passwords either. If the passwords don't match, a window is displayed asking for their samba password. When entered, everything is good to go. I would like to get away from the users having to enter in this password. If I disable the password checking, the end users can mount any other users directory. That's not good either. I have "passdb backend = tdbsam" specified. I don't really need any fancy authorization, just if it the user is the same as the share, you're authorized. The manuals on migrating windows servers to Samba seem to be really overkill for what we need, but that just may be what needs to be done. SLES11 SP1 with Samba 3.5 Any simple solutions to this problem? Thanks Tom Duerbusch THD Consulting ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ----------------------------------------------------- Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
