[CentOS] Re: Fix passwd/shadow/group files?

Fri Jul 15 21:27:34 UTC 2005
Les Mikesell <lesmikesell at gmail.com>

On Fri, 2005-07-15 at 13:32, Bryan J. Smith  wrote:

> > The problem is that nearly all of the people are windows users
> > that need samba accounts to work in addition to ftp/ssh.
> 
> So?  I've been authenticating Samba against NIS servers since
> the mid-'90s.  I've even used NIS to distribute my smbpasswd
> files.

I don't want separate smbpasswd files.

> > Some maintain web content, some are customer support that need
> > write access to the ftp server and another set does some
> > development and testing on a different box. At various times
> > in the past, some of the boxes were solaris and freebsd.
> 
> So?  NIS is _universal_ to just about any UNIX flavor.
> Almost every UNIX C Library supports checking against it.
> Some include more modular options, like NSSwitch for
> telling it whether or not to check against NIS maps.

The part I wasn't sure about was whether NIS could supply the
unix account info (uid, gid, home dir) while allowing
the password check to be via smb, and whether that combination
would work with samba as well.  The solaris/freebsd versions
I used didn't have an obvious way to use smb authentication
for ssh/ftp logins.

> > Now they are all Linux and I'm using smb authentication against
> > a windows domain controller but still create the accounts for each
> > permitted user manually.
> 
> Dude ...
> 
> 1)  I specifically asked you if you had an true MS ADS DC.
> 2)  I mentioned MS Services for UNIX (SFU)

Today these are NT domain controllers actually still running NT.

> Dude, if you had a true MS ADS DC and were already authenticating
> Samba against it, you _should_also_ use SFU to share out NIS from
> the same.  Now you just control your netgroups at your MS ADS DC.

The replacement is going to be an AD, but run by a group at another
location that doesn't like unix.

> Furthermore, you can even setup true UNIX/Linux NIS "slave" servers
> to SFU, just like you can setup UNIX/Linux BIND "secondary" DNS
> servers to MS ADS-integrated DNS.  That way if your MS ADS DC
> tanks, you're not down, because you still have UNIX/Linux DNS/NIS.

We will probably have an AD server at this location with AD replication.
Can it do SFU if the master doesn't?

> > Actually, I guess the next integration will be with Active Directory.
> 
> Wait!  Are you CIFS PDC/BDCs or ADS DCs?
> 
> If you are the former, you _can_ switch _away_ from CIFS altogether!
> Not only does Samba 2.2+ provide _full_ CIFS replacement, but you
> can setup Samba 3.0+ as a BDC, mirror the existing, native CIFS PDC,
> and then _easily_ promote it to a PDC!
> Once your PDC is Samba, then it's cake to do NIS.

I would have done that eons ago if someone else hadn't been
managing the Windows boxes.  But by the time samba was capable,
the worst of the windows bugs were resolved - and you never knew
when a windows update was going to break authentication against
samba again...

> If you already made your Network ADS' bitch, then just get MS SFU.
> Trust me on this, it makes life 100x easier!  I wouldn't be surprised
> if management thinks UNIX/Linux "sucks" because the UNIX/Linux
> network is setup like crap, and not because it's not capable.

No, nobody cares if my job is hard or easy - or how many places I
have to copy a file to make things work.

> > This company has been acquired and the corporate parent is in the
> > process of converting their domains now and will be including the
> > users at this location.
> 
> Just FYI ...
> Once you ADS, you're _always_ going to be Microsoft-controlled.
> Samba will _never_ reverse engineer all of Microsoft's LDAP schema.

It's no longer my choice, and this is basically why I've always
considered it worth the trouble to keep separate logins on the
oddball boxes.  Not just for the Microsoft issue, but to be able
to replace services with any better alternatives that might come
along without regard to whether they understood NIS, LDAP, SMB
or whatever.  There aren't so many people that it is a problem
to set up the accounts.  It would be annoying, but not impossible
to maintain passwords separately - the scheme I use will accept
either local passwords or a match with the windows domain so I
won't be locked out regardless.

> You better
> decide soon whether or not you're going to put your entire network
> at the mercy of MS ADS, or if you want to maintain some anonymous
> control.

I'll probably attempt to set up the RH directory server to pull
info from AD eventually.

> You really need an independent architect to come in and make your
> life easier.  Because it seems your department isn't aware of all your
> interoperability options.

I've always thought that the worst possible thing you could do is to
have someone come in and set up something you don't understand yourself.
In this case the most trouble it would save is editing a few files
once in a while, something I've never considered to be a problem. I
started this thread only because the system tools crapped out on a
duplicate entry - something that might happen with any system.

>   I'm sure your management must think that
> Windows is 100x easier to support than UNIX/Linux because of your
> current setup.  I mean, NIS is circa 1982 (yes, _82_) UNIX design,
> and it would solve your problem quite nicely.

I can assure you that no one thinks that Windows is easier. However
it also isn't going away and new things are going to require AD.  But,
regardless of any global scheme, the set of valid logins on each
of these boxes is unique so specifying it in some network setup is
going to be just about the same amount of work as doing it directly
on each one. 

-- 
  Les Mikesell
    lesmikesell at gmail.com