----- Original Message ----- From: "Jeff Boyce" <jboyce at meridianenv.com> To: <centos at centos.org> Sent: Thursday, April 21, 2011 11:39 AM Subject: User accounts management for small office > Greetings - > > This may be a little off-topic here so if someone wants to point me to a > more appropriate mailing list I would appreciate it. > > I administer the network for my small company and am preparing to install > a new server in the next month or so. It will be running CentOS 6 and > function primarily as a Samba file server to 10 Windows workstations (XP, > Vista, 7). It will also host our OpenVPN server and possibly our FTP > server; however I am hoping to move our FTP server to a gateway box when > the new server is installed. > > The issue that I would like to be able to resolve when the new server is > installed, is that currently if a user wants to change the password on > their Windows workstation, I have to manually update that new password on > the Linux user account, and also manually change the Samba user account. > Manually updating the password in three different locations is a minor > headache that I would like to correct. I have been researching and > reading lots of information about account management to try and understand > what is available, and what would be the best fit for my network size. > Much of what I have read is related to larger networks or larger user > bases, which seem to have a lot of extraneous stuff that would be > unnecessary in my small user environment. I looked into OpenLDAP, and > have recently been reading about Samba/Winbind. But after encountering > the following statement in the Samba documentation, I am still lost about > what I could, or should, be using. > "A standalone Samba server is an implementation that is not a member of a > Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba > domain. By definition, this means that users and groups will be created > and controlled locally, and the identity of a network user must match a > local UNIX/Linux user login. The IDMAP facility is therefore of little to > no interest, winbind will not be necessary, and the IDMAP facility will > not be relevant or of interest." > > My only goal is to be able to allow my users to change their Windows > password at their workstation and have it perpetuate through the system so > that it also changes their Linux User and Samba User account passwords. I > don't expect to ever have more than a dozen users, so I want something > that fits our size network and is simple to administer. I am not looking > for a how-to to set something up, but some opinions about what I should > consider using, and why it would be a good fit to achieve my goal. I can > do the additional research to understand configuration once I know what I > should be researching. Thanks. Please cc me directly, as I only get the > list in daily digest mode. > > Jeff Boyce > Meridian Environmental > > > Thanks to everyone that replied, you have helped me understand what direction I should be going (or staying away from). Here are the highlights and my comments to some of the suggestions that were provided, since I can't respond to every thread from the digest. The opinions both for and against OpenLDAP have made me take a little closer look at it, but my conclusion is that it is more cumbersome than what I really want to handle right now for the size of the network. I have looked closer at Samba/Wins/Winbind, etc. and it looks like the main source of my current problem is that my Samba network is setup now as a Workgroup and not as a Domain. I didn't understand that difference when I ran across the quote I included above. It looks like if I change to a Domain and configure it properly with Wins/Winbind that I should be able to have the single point password changing option occur from the Windows desktop. I am now re-reading sections of my copy of the Definitive Guide to Samba 3 which should help me (although it was published before Vista and 7, which all my workstations are now). Also thanks to some for the suggestions of using ClearOS or Webmin. I do have Webmin installed and use it for some of my administrative functions. So if I do try playing around with OpenLDAP I will certainly see if it will reduce my learning curve on getting it setup properly. With the new gateway box that I mentioned above, I have been planning on installing ClearOS on it, so I will take a look at how it might be used to learn about using LDAP. Although I was thinking to have this box function more strictly as a gateway than providing services to the internal lan. Jeff