2009/7/1 Kevin Thorpe <kevin at pibenchmark.com>: > On 01/07/2009 14:29, Jason Pyeron wrote: > > We're missing some bits on this. We don't run Windows servers at all so the > Exchange route is out. Also most of our > workstations are only windows Home, not Professional so we can't use a > domain or the ctrl-alt-del approach. I think > I'm going to have to use openLDAP to do this, but it seems overly hard to > set up. It will however work for Samba, > Scalix and our website (Drupal) so I think it's the way to go. I have successfully used http://www.pgina.org to authenticate Windows Home users against a Samba domain. Pgina has plugins for different authentication providers, so openLDAP should work. Of course you should ensure user and password synchronization between the 2 servers as a first step. OpenLDAP will work. I have used http://sourceforge.net/projects/smbldap-tools/ to store samba account database in openldap. The real challenge for me 7 years ago, was password expiration. I believe this requirement will sooner or later come to you. Users tend to use the same password for years. Therefore a mechanism of password expiration must be enforced to make sure those passwords will be changed, also the mechanism observes that passwords are strong and not rotated. When I was using a Windows NT4 domain there was a mechanism which would observe the password expiration of domain users and would trigger via RPC a password change request on the user workstation. Upon login, the user would not be granted login until the password is changed. I could not reproduce this behavior using samba 2.2.xxx and have not tried since then. With best regards Alexander