Ever tried Samba for Windows and Unix authentication?

[theYinYeti]

I'm working on my company's future local network. I try to push Linux in areas where I feel it is appropriate. Among other things, I plan to use Linux for authentication.

I want all Windows and Unix/Linux machines on the network to have the same source for authentication, so I came to the conclusion that authentication had to be done on LDAP/Samba. I have absolutely no experience with Samba, nor with LDAP (for authentication).

 

Has anyone tried this?

 

I also plan to use the Courier IMAP server for mail, because it claims to be able to authenticate against LDAP.

 

Has anyone tried this too?

 

What is there to know to achieve this? I almost forgot: Are the webmin add-ons for managing Samba and LDAP authentication

-1- in the Mandrake distribution?

-2- really usable?

 

Thanks

 

Yves.

[ezroller]

I have used samba for authentication here at my office, but not in the manor you are describing. I just wanted to say that I thought in expert mode with the samba man page printed out, I found webmin to be perfect in regards to setup.

[theYinYeti]

How did you use Samba for authentication?

[Guest tezca]

you can use samba in this way, if all the windows workstations are win2k or above there passwds are automatically encrypted, also maybe win98SE but I'm not sure, I'll check on how to do this for you I dont think its too hard what you have to do is set the Samba server as the domain controller.

 

I'll get back to you on this

[ezroller]

and that is what I have going on here at work. My computers are seperated by a MNF firewall from the rest of the office, and I use samba to authenticate myself to the rest of the windows network.

[ranger]

I'm working on my company's future local network. I try to push Linux in areas where I feel it is appropriate. Among other things, I plan to use Linux for authentication.

I want all Windows and Unix/Linux machines on the network to have the same source for authentication, so I came to the conclusion that authentication had to be done on LDAP/Samba. I have absolutely no experience with Samba, nor with LDAP (for authentication).

 

Has anyone tried this?

 

Come on, you know the answer to that one already ;-)

 

I also plan to use the Courier IMAP server for mail, because it claims to be able to authenticate against LDAP.

 

Yes, but since uw can auth via pam, you could use pam_ldap (though direct LDAP auth has some advantages). I would user courier since it uses Maildir, and would consider cyrus (which is in contrib for 9.1).

 

Has anyone tried this too?

 

No, we're stuck with uw-imap until we get up the courage to migrate from mbox to maildir ;-).

 

What is there to know to achieve this? I almost forgot: Are the webmin add-ons for managing Samba and LDAP authentication

-1- in the Mandrake distribution?

-2- really usable?

 

Thanks

 

Yves.

 

Yves, no idea on the webmin modules (do you mean the idealx stuff?) in terms of usefulness - and they aren't in Mandrake, but:

 

1)We run samba/ldap on Mandrake (9.0), works great (except samba-2.2.x hits the LDAP server a lot, 3.0 will be better).

2)LDAP-enabled RPMs (of 2.2.8a) are available for Mandrake 8.0 - 9.1, but I will be losing my build machines quite soon, so don't rely on anything older than 8.2 ... get setup at http://plf.zarb.org/~nanardon/?minor=1

3)I have contact with someone working on a howto for this, which covers most issues, maybe you want to look through it? I haven't had time to go through it in detail.

4)Mail me if interested at:

bgmilne at cae dot co dot za

 

Basic idea is:

1)Setup basic LDAP as with the mandrakesecure.net article

2)Import your samba accounts with /usr/share/samba/scripts/import_smbpasswd.pl

(you need to edit it first)

3)urpmi.addmedia a Sambaldap souce at plf.zarb.org

5)

# urpmi samba-server-ldap

6)Make the necessary ldap changes in smb.conf. No easy way to do this AFAIK, maybe with SWAT, but I avoid SWAT ... there are examples for LDAP in the default smb.conf file, take a look at those ....

7)Tell samba the ldapdn password for the ldap account it uses:

# smbpasswd -w <password>

8)Edit /etc/samba/smbldap_conf.pm so that you can use the smbldap-* tools, which replace things like useradd, usermod, groupadd, groupmod, passwd etc and also can be used for creating machine accounts

 

We aren't totally happy with password changing etc, and have some stuff to figure out still, so we still have pam_smb in use for the moment to ensure users can always get in with one of their passwords under linux ;-)

[theYinYeti]

Has anyone tried this?

Come on, you know the answer to that one already ;-)

Yes But I meant apart from you; I was not sure you were here. I read so little from you, except when it's Samba-related :)

you could use pam_ldap

I discovered that yesterday, but I did not know that direct LDAP auth was better.

I would user courier since it uses Maildir [...] we're stuck with uw-imap until we get up the courage to migrate from mbox to maildir ;-).

Same for me at home, but I just found the courage 8)

I'm in the process of saving all my server data (DBMS, IMAP, Web, mail identities, ...), then I reinstall everything (9.1 instead of currently 8.2) and switch to Courier :)

For my company, I also decided we'd go with Maildir, but I still have to find some info (eg: how to configure so that mails are all under /mail, not under $HOME)

Yves, no idea on the webmin modules (do you mean the idealx stuff?) in terms of usefulness - and they aren't in Mandrake, but:

1)We run samba/ldap on Mandrake (9.0), works great (except samba-2.2.x hits the LDAP server a lot, 3.0 will be better).

There is some choice for the task but indeed the idealx stuff seems to be the most advanced/stable solution.

(About when will 3.0 be out?) BTW, I plan on using Mdk9.1 for my company also.

3)I have contact with someone working on a howto for this, which covers most issues, maybe you want to look through it? I haven't had time to go through it in detail.

4)Mail me if interested at:

bgmilne at cae dot co dot za

I'll write as soon as I'm at home!

 

'later,

 

Yves.

[ranger]

Yes But I meant apart from you; I was not sure you were here. I read so little from you, except when it's Samba-related :)

 

Well, since I maintain (or help maintain them) I keep an eye open, even though I don't visit here too often (usually once a week or so) ...

 

Same for me at home, but I just found the courage 8)

I'm in the process of saving all my server data (DBMS, IMAP, Web, mail identities, ...), then I reinstall everything (9.1 instead of currently 8.2) and switch to Courier :)

 

I haven't gotten around to testing it yet, and we have about 70 accounts, some with many folders and subfolders, with some people very sensitive about their mail ....

 

Which tool did you use?

 

For my company, I also decided we'd go with Maildir, but I still have to find some info (eg: how to configure so that mails are all under /mail, not under $HOME)

 

Hehe, I actually patched uw-imap on our original mail server (7.2) and when we upgraded last time (8.0) and have a patched one ready for 9.1, which stored mail in ~/mail ... but should courier not use ~/Maildir? You can just get procmail to deliver to there?

 

Also, you could just:

# maildirmake /etc/skel/Maildir

on the server, then all new accounts would get a working mail directory ...

 

There is some choice for the task but indeed the idealx stuff seems to be the most advanced/stable solution.

 

I just saw this on freshmeat: http://freshmeat.net/projects/lxe, and would like to package it, but I don't read spanish :-(. It looks pretty good from what I could gather from the html, will try and get it running ...

 

 

(About when will 3.0 be out?) BTW, I plan on using Mdk9.1 for my company also.

 

alpha24 should be out in the next few days, but I haven't really run it seriously yet, although there are packages of alpha23 (alpha22 in 9.1) that will parallel-install with 2.2.x. Betas are expected soon ...

 

I am not sure if I would suggest 9.1 for serious samba work at present, as there are some issues, such as ACLs not working in the 9.1 kernel. It may be feasible to use 9.1 with the kernel from 9.0 updates until there is a better kernel for 9.1 ....[/url]

[theYinYeti]

Humm... I did not write because my computer is a mess right now. The switch to Courier did not happen as expected at all!

 

I did not use any tools to do my backup. I carefully dumped all my PG database, carefully gathered all my specific config inside my /local partition, then tar cjf a-file /local /etc, then sftp the backup file to my laptop's hard disk.

Recovering all that is a long process, and on top of that, I had a very bad experience with Courier: I couldn't suscribe to subdirs I just created from Mozilla (1.3), and when I finally somehow managed to make one of those appear under Inbox in Mozilla, I couldn't copy anything inside! I looked at the filesystem level: the files end-up in subdir/tmp/, and don't move further... (should be subdir/cur/ or at least subdir/new/)

 

Yves.