Re: NIS and Samba - can't authenticate Windows 98 clients
Clive,
OK, here's what I think should work. Bear in mind that
1) This is a pretty ugly business, and usually takes a lot of
testing to iron out. The following should give a rough outline to start
with.
2) This suggestion is not really suitable for a professional
installation - it's not particular secure, scalable, or easy to
administer. Doing this right would require LDAP or Active Directory,
among other things, and a lot more work.
3) I don't know anything about OSX or how that machine will interact
with this. Probably not well...
Hydra
^^^^^
NIS: should serve up maps for at least passwd and group. The *nix
clients need their uid/gid info from here. It does not need to serve
shadow maps - all password authentication will be done via smbpasswd.
NFS: not much to change here
Samba: should be set to "security=user". All passwords are maintained
via "smbpasswd", which enters the user info into an SMB-style encrypted
password file. Thus, this is a separate step from adding the user to an
NIS map.
Zeus/Phoenix
^^^^^^^^^^^^
NIS: should have entries in nsswitch.conf to get their uid/gid info from
Hydra
NFS: it's so easy... too bad it's so insecure...
Samba: should be set to "security=server" and have "password server =
HYDRA" in smb.conf. These machines will authenticate SMB access against
HYDRA's smbpasswd database, and assign file permissions according to
NIS.
Windows Clients
^^^^^^^^^^^^^^^
There shouldn't be anything to worry about here.
Linux Clients
^^^^^^^^^^^^^
NIS: as above, setup nsswitch.conf
PAM: you need users to authenticate via Hydra's smbpasswd - thus, you
need pam_smb. Explaining PAM is beyond the scope of this reply. Just be
careful and leave an open root shell - it's ridiculously easy to lock
yourself out of a box by messing with pam. Info is at
pamsmb.sourceforge.net, though the file should be part of the samba
packages.
That should be enough to get things rolling. I'm happy to
continue off-list if you want - authentication and interoperabilty are a
particular interest of mine.
Cheers,
Todd
On Mon, 9 Jun 2003 02:00:11 +0100
Clive Menzies <clive@clivemenzies.co.uk> wrote:
> Todd
>
> Hydra is the debian box that I've set up as the NIS server. In its
> smb.conf file, I've tried a number of different settings:
>
> workgroup = PRIORYROAD (as in Windows Network Neighbourhood)
>
> netbios name = Hydra
>
> security = domain
>
> I'm not sure what you mean by "share" but as I wrote earlier
> everything seems to work fine on the linux side.
>
> >From what you say, maybe what I'm trying to do is not possible or
> certainly beyond my limited capabilities ;-) Anyway I'll try to
> describe what I want to achieve and perhaps you can advise whether it
> will fly.
>
> We have two HP LH Pro Servers running stable, Hydra and Zeus. Hydra
> is the main server for work files to be accessed by two clients: a
> Dell PC(Monty used by Maggie) dual booting Windows98 and Woody; a G4
> (Apollo used by me) dual booting MacOSX and Woody/Sarge. Zeus is
> mainly serving music files to these two clients.
>
> We have a Mac8100/80 (Phoenix) running Woody and serving work files
> and music to 2 further PC's (Fred and George used by our boys, Jason
> and Luke) both running windows98.
>
> Prior to experimenting with NIS, I set up Maggie and Clive as users on
> each of Hydra, Zeus, Phoenix using the same UID's, GUID's and
> passwords as on their workstations. All three servers are running NFS
> and Samba and subject to "exports" and permissions, all the Windows
> users (Maggie, Luke and Jason) can access files on the relevant
> servers. Maggie (on Monty) can also access all three servers via NFS.
>
> To try NIS I setup Hydra as the NIS server and removed Maggie's user
> details from Phoenix to test whether she could still access it using
> the NIS info on Hydra. On the Linux side it seemed to work
> seemlessly.
>
> When Monty is booted into Windows she can't access Phoenix because
> Samba isn't talking to NIS, I guess.
>
> In an ideal world, I would like to maintain all user and group
> information on one server (Hydra) and let it validate users for
> itself, Zeus and Phoenix. Sorry if this is a bit long winded.
>
> <snip>
>
> Maggie is using "Client for Microsoft Networks" She can see Phoenix on
> Network Neighbourhood but selecting it prompts for a password which is
> rejected as invalid.
>
> I haven't enabled logging on the three Samba servers but if Monty is
> not finding the NIS info, would this show anything? I can send you
> the various conf files (probably better done off list) if you think
> this will help.
>
> I am very interested to know how to achieve this not so much for this
> network but because if we advise clients on migration to Linux, we may
> need a solution to the problem of maintaining users on a mixed
> network. It seems to be possible using an NT Name Server but it would
> be preferable to be able to suggest an open source alternative.
Reply to: