Samba success story [Was: AD Integration/Replacement?]
Sorry for raising an old thread (I'm going over my mailing list boxes), but I wanted to share a very much related success story with you. I'm managing a small network (around 20 workstations and 10 servers) which uses a central authentication against a Linux server. Windows workstations are authenticating against and using roaming profiles from a standard Samba 3 installation with an LDAP backend and Linux workstations and servers authenticate directly through LDAP. Setting it up is not difficult. At first I had an opepldap backend and then it was changed for a Novell eDirectory server, but the setup is fairly similar and not hard to do. Even better, the LDAP server is SuSE Linux Enterprise Server 10 which comes with openldap/samba configuration as a PDC out of the box, so almost no tweaking is actually needed. If anyone is interested in more details, email me in private. On Tue, 2008-02-05 at 11:01 +0200, Tom Rosenfeld wrote: 2008/2/3 Ira Abramov [EMAIL PROTECTED]: A(nother) client of mine is fighting the old fight of central directory management. Hi Ira, Let us know what you did. I have a similar situation and am looking for a proven setup -- Oded = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: AD Integration/Replacement?
2008/2/3 Ira Abramov [EMAIL PROTECTED]: A(nother) client of mine is fighting the old fight of central directory management. Hi Ira, Let us know what you did. I have a similar situation and am looking for a proven setup -- -tom 054-244-8025
AD Integration/Replacement?
A(nother) client of mine is fighting the old fight of central directory management. Situation went quickly downhill yesterday when their Active Directory server's hardware died. I've been originally asked to come help them integrate it with Linux but instead tomorrow it will be an emergency fire fight and maybe a different approach should be considered. The comapny has a Gnu/Linux-based product and development nodes, but most of the tech staff was decided to run on windows machines (don't ask). The question now is whether I help them disjoin their machines from the disfunct 2003 server's domain and help them work with a bunch of standalone XPs and a Samba server, or could I use the Samba as a PDC and build a second one as BDC? I know Samba is capable of that, but I have never heard about a real world case where that works, and if it works well. Also, if a Samba machine is a direcotry server, can I get the rest of the Gnu/Linux nodes on the LAN authenticate against that somehow or do I have to synchronise that to a YP map? what's the best way of synchronising a password change to both the yp master as well as the Samba's internal DB? I always just change password for both on the commandline but in a real world environment I suppose there should be a web interface maybe to do that? should I look at SWAT? Thanks, Ira. -- «({-- In Stereo where available --})» Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: AD Integration/Replacement?
of standalone XPs and a Samba server, or could I use the Samba as a PDC and build a second one as BDC? I know Samba is capable of that, but I have never heard about a real world case where that works, and if it works well. I was told back in 2000 by huji sysadmin that they have NT machines authenticate against a samba server running as a PDC. However, I don't know how much of hackery that took to do, but then again, it was 7 years ago.. --yuval signature.asc Description: This is a digitally signed message part.
Re: AD Integration/Replacement?
On Sun, Feb 03, 2008 at 09:02:05PM +0200, Ira Abramov wrote: A(nother) client of mine is fighting the old fight of central directory management. Situation went quickly downhill yesterday when their Active Directory server's hardware died. I've been originally asked to come help them integrate it with Linux but instead tomorrow it will be an emergency fire fight and maybe a different approach should be considered. ... Also, if a Samba machine is a direcotry server, can I get the rest of the Gnu/Linux nodes on the LAN authenticate against that somehow or do I have to synchronise that to a YP map? what's the best way of synchronising a password change to both the yp master as well as the Samba's internal DB? I always just change password for both on the commandline but in a real world environment I suppose there should be a web interface maybe to do that? should I look at SWAT? I have no idea if this will help, but Windows Services For UNIX (SFU), includes an NFS client and a facility for mapping YP user names and groups to Windows logons and AFAIK, vice versa. SFU is a free download from Microsoft. Geoff. -- Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED] N3OWJ/4X1GM IL Voice: (07)-7424-1667 U.S. Voice: 1-215-821-1838 Visit my 'blog at http://geoffstechno.livejournal.com/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: AD Integration/Replacement?
On Sun, Feb 03, 2008 at 10:36:03PM +0200, Yuval Hager wrote: I was told back in 2000 by huji sysadmin that they have NT machines authenticate against a samba server running as a PDC. However, I don't know how much of hackery that took to do, but then again, it was 7 years ago.. The HUJI computer science institute used a home grown authorization system, and a home grown MSGINA (graphical interface (for) network authorization), written by yours truely, around 1997. I was just told last week that as of about a year ago, it was still in use. I started with a sample provided by Microsoft and went from there. It was so old that it was one of the parts of Windows NT that were written in C, not C++. Geoff. -- Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED] N3OWJ/4X1GM IL Voice: (07)-7424-1667 U.S. Voice: 1-215-821-1838 Visit my 'blog at http://geoffstechno.livejournal.com/ To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: AD Integration/Replacement?
Possibly too late for you, but maybe you'll manage to read it ;-) On Sunday, 3 בFebruary 2008, Ira Abramov wrote: The comapny has a Gnu/Linux-based product and development nodes, but most of the tech staff was decided to run on windows machines (don't ask). The question now is whether I help them disjoin their machines from the disfunct 2003 server's domain and help them work with a bunch of standalone XPs and a Samba server, or could I use the Samba as a PDC and build a second one as BDC? I know Samba is capable of that, but I have never heard about a real world case where that works, and if it works well. 1. If we talk about not a huge organization, than the easiest setup is to make Samba a logon server for the XP's (NT4 technology before DC). 2. If you really like DC (PDC/BDC are NT4 technology), than you can use Samba with your XP's. I have tested it with an XP against Samba 3. Basically all you have to do is follow the step-by-step guidelines detailed both in their FAQ and in the Samba3-by-example (released and included in the free samba docs [Fedora]): A. Simple setup of Samba (no other DC's, no crap needed). Optionally, You may want to look at 'logon script', 'logon path', 'logon drive' B. Create a machine account for each XP (e.g: johndesk$). Machine account names always end in a '$'. C. Go to each XP and establish a trust relationship with your Samba. Follow the *illustrated* guide in the FAQ (don't remember which dialogs). NOTE: When I last had to change my Samba DC (exchange hosts), these dialogs didn't work as expected. My (possibly stupid) workaround was on the XP: * Go to the dialog and choose 'Workgroup... something' instead of 'Doamin...something' * Reboot as directed by the wonderfull OS. * Go again to the same dialog and redo the correct 'Domain...' * Reboot again... Also, if a Samba machine is a direcotry server, can I get the rest of the Gnu/Linux nodes on the LAN authenticate against that somehow or do I have to synchronise that to a YP map? what's the best way of synchronising a password change to both the yp master as well as the Samba's internal DB? I always just change password for both on the commandline but in a real world environment I suppose there should be a web interface maybe to do that? should I look at SWAT? 3. The best way (which is clearly indicated in Samba docs) is LDAP. However, in your current flaming position I suggest using the (now default) tdbsam password backend (this is what I used). When everything is back to normal and everybody work against your Samba server, you'll have enough time to setup a new LDAP server (openldap or Fedora-DS), migrate users, think about sync policy etc. 4. Samaba-4 and all the new (and unstable) work is to make Samba work in a DC-to-DC setups and to work with newer Win* flavors (2003, Vista etc.) If all you need is simple auth of XP clients with your server Samba-3 seem to be good enough. Hope it helps, -- Oron Peled Voice/Fax: +972-4-8228492 [EMAIL PROTECTED] http://www.actcom.co.il/~oron ICQ UIN: 16527398 Software is like Entropy: it's hard to grasp, weighs nothing and obeys the Second Law of Thermodynamics, i.e. it always increases -- Norman Augustine To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]