Re: [tlug] Network with Windows and Linux

[Patrick Niessen <tlug.niessen@example.com>]

On 11/29/05, Gerald Naughton <naughton123@example.com> wrote:

> how to sync passwords between Samba Server/User
> A/Cs/Mail Server
> /Web Server etc
>
>
> Maybe the only way is LDAP with Samba
>
> My ultimate goal is get rid of my Windows 2000 Domain
> Server ;->
>

We have been using Samba on old compaq proliant's with linux as a file
server for 4 or 5 years at our company now.  We also have NT4
controller (currently required by the Exchange setup) as well as an AD
controller to which we will migrate next year.

The thing you want to think about first is which is your
authentication server, as syncronising passwords is pretty messy:

1.In our case the accounts are defined on Windows and other services
use it to check passwords.  If you have windows servers already and a
part of an international organisation's network this may be the best
way.

2. On the other hand, you may decide that Samba should keep your user
data, so it will act as your PDC. Or you keep account data on another
unix system (this seems less straightforward as a lot of tweaking
needs to be done by you).

Linux systems can authenticate to a Windows NT4 domain by using the
pam_smb module.  This will allow you to setup ssh, ftp and other
services to be available to windows accounts.  You can then also
configure other linux services to use pam for authentication (I think
there may be a mod_pam for apache).

We have a simple smb authentication using smbclient -> you pass
trhough username and password and if the return value is TRUE the user
is authorised.

For Active Directory, it seems that with enough work you can use
pam_krb5 (not sure the name but its kerberos anyway) in the same way. 
Web applications are easier to authenticate: just use an LDAP call
with the users credentials to the AD server - if accepted user is
authenticated.  LDAP can then also be used to check for group
membership.

For simple File Serving tasks inside an existing NT domain you can use
winbindd. This will check with the domain controller at login time and
then keep authentication cached.  It also maintains user/group id
mapping to Windows accounts.  So passwords are always kept only on the
windows server and no syncronisation takes place.  It is however
critical that you backup this mapping - if it is lost you still have
all the files but don't know who owns them!  since Samba 3 there are
various storage options for winbind.  The only useful one really is
ldap backend, as it allows easy and consistent backup / replication an
it also guarantees that all samba servers use the SAME unix ids.  I
also heard that if you have rights to the AD root you could also
install a special LDAP schema into active directory, that would save
you from maintaining a seperate LDAP server.

You can also set up LDAP authentication seperate from samba and
windows.  For this to work Linux can use pam_ldap and windows needs to
be hacked with a new "gina" module (the one that handles the
authentication).  If you google "windows gina authentication" you will
probably find the project site.

Real password sync is also an option either using samba, or the free
Unix Services for Windows as released by Microsoft.

One important thing to consider is for file serving.  So called
"opportunistic locking" while said to increase access speed
dramatically, often causes problems such as locked files after they
were closed,  or even sometimes data loss when working with office
apps.  You have to confirm this and if it causes problems switch it
off.  Samba says its a design flaw of CIFS protocol and that samba
behaves according to protocol.  However real windows doesn't seem to
have this problem so maybe they don't care because its not happening
to them.  Also you have to think about / and experiment with the file
and folder permissions.  Do you use only basic unix perms or ACLs? 
Permissions and ACLs on a samba share look strange from windows and
can be very difficult to understand.  ACLS are also not backed up by
most linux apps like tar and rsync... If you spend some time on
designing the layout of your shares you will be able to live with
simple unix permissions.  Samba 3 finally permits Unicode encoding,
but you must set it up before hand. Otherwise you must set up client
encoding options which leads english windows to display boxes unless
the appropriate locale is selected.

One thing that seems to be mentioned is that nfs and samba do not play
well with each other, so you better use nfs for readonly access if
really required, or separate nfs and windows directories.

Thing I like about samba is the option to only show files and
directories that the user has permission to - so if no permission he
cannot see it.  Netware had it already over 10 years ago, but windows
still displays everything and then gives an error - permission denied.

The samba as a project is one of the best linux applications, however
documentation is not perfect and some of the system design decisions
were not too good.  In Samba 4 they talk about including ldap inside
samba, but have to see how this works out.

Hope this gave you a few hints for searching further.

--
Patrick Niessen