I was wondering if anyone could advise me on this.
I've got two Samba servers, each using passdb.tdb for authentication. All works well, but I've now been asked to let users change their own passwords (a requirement of data secuity). What's the best way of arranging this, preferably updating both servers at the same time?
thanks
-----Original Message----- From: Kevin Thorpe Sent: Wednesday, July 01, 2009 5:43
I was wondering if anyone could advise me on this.
We allow users th change their passwords via ctrl-alt-del, and via the web using the password change tool that comes with exchange.
I've got two Samba servers, each using passdb.tdb for authentication. All works well, but I've now been asked to let users change their own passwords (a requirement of data secuity). What's the best way of arranging this, preferably updating both servers at the same time?
thanks _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On CentOS release 4.7:
/etc/samba/smb.conf (redacted)
[global]
#log level = 10
encrypt passwords = yes
workgroup = xxxxxxxxxxxxxxxxxxxxxxxx server string = Logon Server pam password change = Yes unix password sync = Yes log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /sbin/nologin -d /tmp '%u' domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 map acl inherit = Yes cups options = raw csc policy = disable
[homes] comment = Home Directories read only = No browseable = No
[netlogon] comment = Network Logon Service path = /home/netlogon guest ok = Yes share modes = No
[print$] comment = All Printers path = /var/lib/samba/drivers guest ok = Yes browseable = No
[printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
On 01/07/2009 14:29, Jason Pyeron wrote:
-----Original Message----- From: Kevin Thorpe Sent: Wednesday, July 01, 2009 5:43
I was wondering if anyone could advise me on this.
We allow users th change their passwords via ctrl-alt-del, and via the web using the password change tool that comes with exchange.
We're missing some bits on this. We don't run Windows servers at all so the Exchange route is out. Also most of our workstations are only windows Home, not Professional so we can't use a domain or the ctrl-alt-del approach. I think I'm going to have to use openLDAP to do this, but it seems overly hard to set up. It will however work for Samba, Scalix and our website (Drupal) so I think it's the way to go.
I've got two Samba servers, each using passdb.tdb for authentication. All works well, but I've now been asked to let users change their own passwords (a requirement of data secuity). What's the best way of arranging this, preferably updating both servers at the same time?
thanks _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2009/7/1 Kevin Thorpe kevin@pibenchmark.com:
On 01/07/2009 14:29, Jason Pyeron wrote:
We're missing some bits on this. We don't run Windows servers at all so the Exchange route is out. Also most of our workstations are only windows Home, not Professional so we can't use a domain or the ctrl-alt-del approach. I think I'm going to have to use openLDAP to do this, but it seems overly hard to set up. It will however work for Samba, Scalix and our website (Drupal) so I think it's the way to go.
I have successfully used http://www.pgina.org to authenticate Windows Home users against a Samba domain. Pgina has plugins for different authentication providers, so openLDAP should work.
Of course you should ensure user and password synchronization between the 2 servers as a first step. OpenLDAP will work. I have used http://sourceforge.net/projects/smbldap-tools/ to store samba account database in openldap.
The real challenge for me 7 years ago, was password expiration. I believe this requirement will sooner or later come to you. Users tend to use the same password for years. Therefore a mechanism of password expiration must be enforced to make sure those passwords will be changed, also the mechanism observes that passwords are strong and not rotated.
When I was using a Windows NT4 domain there was a mechanism which would observe the password expiration of domain users and would trigger via RPC a password change request on the user workstation. Upon login, the user would not be granted login until the password is changed.
I could not reproduce this behavior using samba 2.2.xxx and have not tried since then.
With best regards Alexander
I know this is a late reply, but I've only just got round to things. pgina works absolutely fine, thanks for that. It also allows fallback to local users for our laptop wielding brethren. All I need to do now is work out how to use the Centos/redhat/fedora directory server.
On 01/07/2009 16:38, Alexander Georgiev wrote:
2009/7/1 Kevin Thorpekevin@pibenchmark.com:
On 01/07/2009 14:29, Jason Pyeron wrote:
We're missing some bits on this. We don't run Windows servers at all so the Exchange route is out. Also most of our workstations are only windows Home, not Professional so we can't use a domain or the ctrl-alt-del approach. I think I'm going to have to use openLDAP to do this, but it seems overly hard to set up. It will however work for Samba, Scalix and our website (Drupal) so I think it's the way to go.
I have successfully used http://www.pgina.org to authenticate Windows Home users against a Samba domain. Pgina has plugins for different authentication providers, so openLDAP should work.
Of course you should ensure user and password synchronization between the 2 servers as a first step. OpenLDAP will work. I have used http://sourceforge.net/projects/smbldap-tools/ to store samba account database in openldap.
The real challenge for me 7 years ago, was password expiration. I believe this requirement will sooner or later come to you. Users tend to use the same password for years. Therefore a mechanism of password expiration must be enforced to make sure those passwords will be changed, also the mechanism observes that passwords are strong and not rotated.
When I was using a Windows NT4 domain there was a mechanism which would observe the password expiration of domain users and would trigger via RPC a password change request on the user workstation. Upon login, the user would not be granted login until the password is changed.
I could not reproduce this behavior using samba 2.2.xxx and have not tried since then.
On Jul 1, 2009, at 5:42 AM, Kevin Thorpe kevin@pibenchmark.com wrote:
What's the best way of arranging this, preferably updating both servers at the same time?
What you should do is pick one server to manage the passwords and have the other setup to authenticate users against the first. Use samba's 'password server=' option. Then password changes happen only on the password server.
I would start thinking samba domain controller at this point.
-Ross
-
Alexander Georgiev -
Jason Pyeron -
Kevin Thorpe -
Ross Walker