Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed.
The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password on the Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and reading lots of information about account management to try and understand what is available, and what would be the best fit for my network size. Much of what I have read is related to larger networks or larger user bases, which seem to have a lot of extraneous stuff that would be unnecessary in my small user environment. I looked into OpenLDAP, and have recently been reading about Samba/Winbind. But after encountering the following statement in the Samba documentation, I am still lost about what I could, or should, be using. "A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain. By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest."
My only goal is to be able to allow my users to change their Windows password at their workstation and have it perpetuate through the system so that it also changes their Linux User and Samba User account passwords. I don't expect to ever have more than a dozen users, so I want something that fits our size network and is simple to administer. I am not looking for a how-to to set something up, but some opinions about what I should consider using, and why it would be a good fit to achieve my goal. I can do the additional research to understand configuration once I know what I should be researching. Thanks. Please cc me directly, as I only get the list in daily digest mode.
Jeff Boyce
Meridian Environmental
Jeff Boyce wrote:
Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
<snip>
The issue that I would like to be able to resolve when the new server is installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password
on the
Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and
<snip> You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching.
However, I did put it in in '06 for what wound up to be about 14 or 15 folks, and it worked, and they could change passwords themselves.
mark
On Apr 21, 2011, at 11:51 AM, m.roth@5-cent.us wrote:
Jeff Boyce wrote:
Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
<snip> > The issue that I would like to be able to resolve when the new > server is > installed, is that currently if a user wants to change the password > on > their Windows workstation, I have to manually update that new > password on the > Linux user account, and also manually change the Samba user account. > Manually updating the password in three different locations is a > minor > headache that I would like to correct. I have been researching and <snip> You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching.
Yes, agreed OpenLDAP is my suggestion as well.
As for Windows clients, you can either do;
Samba/LDAP tie in so that your LDAP domain also function as a PDC.
Or you can use pGina which is a Windows LDAP plugin that allows your Windows clients to auth direct to LDAP w/o the need to join a PDC first.
I prefer pGina but its not for every one.
- aurf
On Thu, Apr 21, 2011 at 02:51:35PM -0400, m.roth@5-cent.us wrote:
Jeff Boyce wrote:
Greetings -
installed, is that currently if a user wants to change the password on their Windows workstation, I have to manually update that new password
on the
Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and
<snip>
You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching.
I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration.
http://home.roadrunner.com/~computertaijutsu/ldap.html
On Apr 21, 2011, at 12:09 PM, Scott Robbins wrote:
I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration.
Nice link, thanks for that.
Wished I would have known about it all those moons ago. I would also advice subing to the openldap mailing lists but keep in mind its HEAVILY moderated so be mindful of your posts regarding topic. They will deny the post if they feel its for another ldap list. A very very anal list indeed.
Also for the Samba bit, you can look here as it helped me;
http://pbraun.nethence.com/doc/net/samba-ldap.html
- aurf
Scott Robbins wrote: <snip>
I have a page on openldap--though I don't cover it with samba--that is a cut above most of the documentation, in my not at all humble opinion--I fully agree with Mark that the vast majority of ldap documentation is horrendous. Some folks have found my page useful, so I'll offer it for consideration.
And after a *very* brief glance, I've bookmarked it for future reference, since it has things like *examples* of what needs doing, and how to get there....
Thanks, Scott.
Cordelia: I do what I want to do. And I wear what I want to wear. And you know what, I'll date whoever the hell I want to date... no matter how lame he is.
Vorkosigan?
mark
On Thu, Apr 21, 2011 at 03:23:20PM -0400, m.roth@5-cent.us wrote:
Scott Robbins wrote:
<snip>
And after a *very* brief glance, I've bookmarked it for future reference, since it has things like *examples* of what needs doing, and how to get there....
Yeah, I learned about that example stuff from using FreeBSD. :) Most of their man pages have it. Seriously, after literally months of trying to figure it out, I wrote the page that I wished I'd had when I was trying to get it done .
Thanks, Scott.
Cordelia: I do what I want to do. And I wear what I want to wear. And you know what, I'll date whoever the hell I want to date... no matter how lame he is.
From my Buffy the Vampire quote generator, made when I had even less of
a life. :)
http://home.roadrunner.com/~computertaijutsu/buffquote.html
It was actually made into an ArchLinux package by a Buffy fan.
Linux user account, and also manually change the Samba user account. Manually updating the password in three different locations is a minor headache that I would like to correct. I have been researching and
<snip> You *could* do it with openldap, with the WinDoze boxen authenticating through that. Now, I'll warn you that though it may have improved, a few years ago, openldap was a nightmare to configure, the documentation dreadull where it wasn't almost useless, and googling involved a *lot* of searching.
You may additionally have a look at smbldap-tools (available in the EPEL repository).
I had good experience with OS users authenticated by OpenLDAP on a Linux only network. It is not so hard to configure with authconfig. At the time I had a quick look at Samba integration and smbldap-tools seemed the way to go.
By the way, authconfig seems to also have options for smb / winbind: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-authconfig-comma... I never tried those though.
On 4/21/2011 1:39 PM, Jeff Boyce wrote:
Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running CentOS 6 and function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed.
Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them.
Les Mikesell wrote:
On 4/21/2011 1:39 PM, Jeff Boyce wrote:
Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running
CentOS 6 and
function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed.
Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them.
Actually, I found webmin helpful in setting up and testing openldap.
mark
On 4/21/2011 2:24 PM, m.roth@5-cent.us wrote:
Les Mikesell wrote:
On 4/21/2011 1:39 PM, Jeff Boyce wrote:
Greetings -
This may be a little off-topic here so if someone wants to point me to a more appropriate mailing list I would appreciate it.
I administer the network for my small company and am preparing to install a new server in the next month or so. It will be running
CentOS 6 and
function primarily as a Samba file server to 10 Windows workstations (XP, Vista, 7). It will also host our OpenVPN server and possibly our FTP server; however I am hoping to move our FTP server to a gateway box when the new server is installed.
Have you looked at the ClearOS distribution? It comes up with a simple web interface to manage all of this with authentication done with a pre-configured LDAP setup. I think LDAP replication is slated for the next version - which is waiting for CentOS 6 for it's components but you'd only need that if you have several different servers and want changes to propagate across them.
Actually, I found webmin helpful in setting up and testing openldap.
Webmin is a very different concept. It is a mostly a web-form editor for the underlying program's config file that may know enough to keep you from making/saving the kinds of syntax errors that you can make with a normal text editor, but you still have to know what program to start for each service, know the relationships between programs, and make separate changes to each program, knowing what all of the options do.
ClearOS and the similar/earlier SME server are much more task/service oriented with preconfigured settings to make the common services you want come up and forms that relate to what you want to do rather than having to deal with options in several different different underlying programs. So even though it is running the same samba and openldap as a Centos install, you don't need to change anything to make them work together. And some things that are conceptually even harder, like optionally enabling openvpn per user and generating client certificates are checkbox/push button items.
I'd say base it on OpenLDAP. As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf:
http://freshmeat.net/projects/cgipaf/
Although you already have to provide your old password to do an update, putting it behind http-basic authentication will allow you to use things like fail2ban to protect against brute forcing.
Devin
--On Thursday, April 21, 2011 01:49:16 PM -0600 Devin Reade gdr@gno.org wrote:
As far as the password change option, one simple but effective system is the passwd.cgi script from cgipaf:
Sorry, brain fart.
Yes, cgipaf will allow you to change samba passwords at the same time, but it's been a few years since I needed to support samba and so I don't have a *current* assessment of it. (I currently use a functionally similar cgi program that updates LDAP via PAM instead, but knows nothing about samba.)
Devin
-
aurfalien@gmail.com -
Devin Reade -
Jeff Boyce -
Les Mikesell -
m.roth@5-cent.us -
Mathieu Baudier -
Scott Robbins