Re: NIS and Samba - can't authenticate Windows 98 clients
Thanks Todd - I really appreaciate the work you've put in ;-)
On (08/06/03 21:44), Todd Pytel wrote:
> OK, here's what I think should work. Bear in mind that
> 1) This is a pretty ugly business, and usually takes a lot of
> testing to iron out. The following should give a rough outline to start
> with.
It would be worth the effort only if it produced a satisfactory outcome.
> 2) This suggestion is not really suitable for a professional
> installation - it's not particular secure, scalable, or easy to
> administer. Doing this right would require LDAP or Active Directory,
> among other things, and a lot more work.
Here's the rub - the current setup (without NIS) works well and doesn't
need to be changed. I don't expect to be changing my users (children and
partner) ;) I started experimenting with NIS to learn how to
implement cross platform integration in a production environment using
only OSS software tools.
We would like to help our clients escape the maw of Microsoft ;-)
Or at least reduse their reliance but at the same
time it needs to be better, cheaper and more secure - this is what I
believed Linux has to offer. Debian is particularly attractive because
of its truly open source model - it appeals to my political and
humanitarian instincts ;)
Prior to starting out "learning" just over a year ago my knowledge of
computing could be rated as a competent user on Mac and adequate user
on Windows. I am keen to become proficient in implementing and
administering Debian systems (I'm not really interested in commercial
distros)
So in the context of what you've said about the problems with
integrating NIS/Samba and the insecurity of NFS it seems I am "barking
up the wrong tree". Should I be studying LDAP and Active Directory?
I've bought a number of books and followed this list and debian-powerpc
and not really seen this topic addressed at any length. I guess it is
time to subscribe to another list as well ;) (Need to find more hours in
the day)
> 3) I don't know anything about OSX or how that machine will interact
> with this. Probably not well...
Well so far the Mac side has been the least problem (OSX being *nix
based) although having said that it is less stable and more buggy than
I expected. What I didn't mention is that we've also got my daughter's
Mac running OS8.6 on the network which I haven't yet attempted to
integrate but I was intending to look a netatalk once I'd sorted the
windows clients - is this sensible?
In summary, I really appreciate your help. Where do you think I should
go from here?
Thanks again
Clive
>
> Hydra
> ^^^^^
> NIS: should serve up maps for at least passwd and group. The *nix
> clients need their uid/gid info from here. It does not need to serve
> shadow maps - all password authentication will be done via smbpasswd.
> NFS: not much to change here
> Samba: should be set to "security=user". All passwords are maintained
> via "smbpasswd", which enters the user info into an SMB-style encrypted
> password file. Thus, this is a separate step from adding the user to an
> NIS map.
>
> Zeus/Phoenix
> ^^^^^^^^^^^^
> NIS: should have entries in nsswitch.conf to get their uid/gid info from
> Hydra
> NFS: it's so easy... too bad it's so insecure...
> Samba: should be set to "security=server" and have "password server =
> HYDRA" in smb.conf. These machines will authenticate SMB access against
> HYDRA's smbpasswd database, and assign file permissions according to
> NIS.
>
> Windows Clients
> ^^^^^^^^^^^^^^^
> There shouldn't be anything to worry about here.
>
> Linux Clients
> ^^^^^^^^^^^^^
> NIS: as above, setup nsswitch.conf
> PAM: you need users to authenticate via Hydra's smbpasswd - thus, you
> need pam_smb. Explaining PAM is beyond the scope of this reply. Just be
> careful and leave an open root shell - it's ridiculously easy to lock
> yourself out of a box by messing with pam. Info is at
> pamsmb.sourceforge.net, though the file should be part of the samba
> packages.
>
> That should be enough to get things rolling. I'm happy to
> continue off-list if you want - authentication and interoperabilty are a
> particular interest of mine.
>
> Cheers,
> Todd
>
> On Mon, 9 Jun 2003 02:00:11 +0100
> Clive Menzies <clive@clivemenzies.co.uk> wrote:
>
> > Todd
> >
> > Hydra is the debian box that I've set up as the NIS server. In its
> > smb.conf file, I've tried a number of different settings:
> >
> > workgroup = PRIORYROAD (as in Windows Network Neighbourhood)
> >
> > netbios name = Hydra
> >
> > security = domain
> >
> > I'm not sure what you mean by "share" but as I wrote earlier
> > everything seems to work fine on the linux side.
> >
> > >From what you say, maybe what I'm trying to do is not possible or
> > certainly beyond my limited capabilities ;-) Anyway I'll try to
> > describe what I want to achieve and perhaps you can advise whether it
> > will fly.
> >
> > We have two HP LH Pro Servers running stable, Hydra and Zeus. Hydra
> > is the main server for work files to be accessed by two clients: a
> > Dell PC(Monty used by Maggie) dual booting Windows98 and Woody; a G4
> > (Apollo used by me) dual booting MacOSX and Woody/Sarge. Zeus is
> > mainly serving music files to these two clients.
> >
> > We have a Mac8100/80 (Phoenix) running Woody and serving work files
> > and music to 2 further PC's (Fred and George used by our boys, Jason
> > and Luke) both running windows98.
> >
> > Prior to experimenting with NIS, I set up Maggie and Clive as users on
> > each of Hydra, Zeus, Phoenix using the same UID's, GUID's and
> > passwords as on their workstations. All three servers are running NFS
> > and Samba and subject to "exports" and permissions, all the Windows
> > users (Maggie, Luke and Jason) can access files on the relevant
> > servers. Maggie (on Monty) can also access all three servers via NFS.
> >
> > To try NIS I setup Hydra as the NIS server and removed Maggie's user
> > details from Phoenix to test whether she could still access it using
> > the NIS info on Hydra. On the Linux side it seemed to work
> > seemlessly.
> >
> > When Monty is booted into Windows she can't access Phoenix because
> > Samba isn't talking to NIS, I guess.
> >
> > In an ideal world, I would like to maintain all user and group
> > information on one server (Hydra) and let it validate users for
> > itself, Zeus and Phoenix. Sorry if this is a bit long winded.
> >
> > <snip>
> >
> > Maggie is using "Client for Microsoft Networks" She can see Phoenix on
> > Network Neighbourhood but selecting it prompts for a password which is
> > rejected as invalid.
> >
> > I haven't enabled logging on the three Samba servers but if Monty is
> > not finding the NIS info, would this show anything? I can send you
> > the various conf files (probably better done off list) if you think
> > this will help.
> >
> > I am very interested to know how to achieve this not so much for this
> > network but because if we advise clients on migration to Linux, we may
> > need a solution to the problem of maintaining users on a mixed
> > network. It seems to be possible using an NT Name Server but it would
> > be preferable to be able to suggest an open source alternative.
>
Reply to: