2009/7/1 Kevin Thorpe kevin@pibenchmark.com:
On 01/07/2009 14:29, Jason Pyeron wrote:
We're missing some bits on this. We don't run Windows servers at all so the Exchange route is out. Also most of our workstations are only windows Home, not Professional so we can't use a domain or the ctrl-alt-del approach. I think I'm going to have to use openLDAP to do this, but it seems overly hard to set up. It will however work for Samba, Scalix and our website (Drupal) so I think it's the way to go.
I have successfully used http://www.pgina.org to authenticate Windows Home users against a Samba domain. Pgina has plugins for different authentication providers, so openLDAP should work.
Of course you should ensure user and password synchronization between the 2 servers as a first step. OpenLDAP will work. I have used http://sourceforge.net/projects/smbldap-tools/ to store samba account database in openldap.
The real challenge for me 7 years ago, was password expiration. I believe this requirement will sooner or later come to you. Users tend to use the same password for years. Therefore a mechanism of password expiration must be enforced to make sure those passwords will be changed, also the mechanism observes that passwords are strong and not rotated.
When I was using a Windows NT4 domain there was a mechanism which would observe the password expiration of domain users and would trigger via RPC a password change request on the user workstation. Upon login, the user would not be granted login until the password is changed.
I could not reproduce this behavior using samba 2.2.xxx and have not tried since then.
With best regards Alexander