[CentOS] User accounts management for small office

Wed Apr 27 18:53:46 UTC 2011
Jeff Boyce <jboyce at meridianenv.com>

----- Original Message ----- 
From: "Jeff Boyce" <jboyce at meridianenv.com>
To: <centos at centos.org>
Sent: Thursday, April 21, 2011 11:39 AM
Subject: User accounts management for small office

> Greetings -
> This may be a little off-topic here so if someone wants to point me to a 
> more appropriate mailing list I would appreciate it.
> I administer the network for my small company and am preparing to install 
> a new server in the next month or so.  It will be running CentOS 6 and 
> function primarily as a Samba file server to 10 Windows workstations (XP, 
> Vista, 7).  It will also host our OpenVPN server and possibly our FTP 
> server; however I am hoping to move our FTP server to a gateway box when 
> the new server is installed.
> The issue that I would like to be able to resolve when the new server is 
> installed, is that currently if a user wants to change the password on 
> their Windows workstation, I have to manually update that new password on 
> the Linux user account, and also manually change the Samba user account. 
> Manually updating the password in three different locations is a minor 
> headache that I would like to correct.  I have been researching and 
> reading lots of information about account management to try and understand 
> what is available, and what would be the best fit for my network size. 
> Much of what I have read is related to larger networks or larger user 
> bases, which seem to have a lot of extraneous stuff that would be 
> unnecessary in my small user environment.  I looked into OpenLDAP, and 
> have recently been reading about Samba/Winbind.  But after encountering 
> the following statement in the Samba documentation, I am still lost about 
> what I could, or should, be using.
> "A standalone Samba server is an implementation that is not a member of a 
> Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba 
> domain.  By definition, this means that users and groups will be created 
> and controlled locally, and the identity of a network user must match a 
> local UNIX/Linux user login. The IDMAP facility is therefore of little to 
> no interest, winbind will not be necessary, and the IDMAP facility will 
> not be relevant or of interest."
> My only goal is to be able to allow my users to change their Windows 
> password at their workstation and have it perpetuate through the system so 
> that it also changes their Linux User and Samba User account passwords.  I 
> don't expect to ever have more than a dozen users, so I want something 
> that fits our size network and is simple to administer.  I am not looking 
> for a how-to to set something up, but some opinions about what I should 
> consider using, and why it would be a good fit to achieve my goal.  I can 
> do the additional research to understand configuration once I know what I 
> should be researching.  Thanks.  Please cc me directly, as I only get the 
> list in daily digest mode.
> Jeff Boyce
> Meridian Environmental
Thanks to everyone that replied, you have helped me understand what 
direction I should be going (or staying away from).  Here are the highlights 
and my comments to some of the suggestions that were provided, since I can't 
respond to every thread from the digest.  The opinions both for and against 
OpenLDAP have made me take a little closer look at it, but my conclusion is 
that it is more cumbersome than what I really want to handle right now for 
the size of the network.  I have looked closer at Samba/Wins/Winbind, etc. 
and it looks like the main source of my current problem is that my Samba 
network is setup now as a Workgroup and not as a Domain.  I didn't 
understand that difference when I ran across the quote I included above.  It 
looks like if I change to a Domain and configure it properly with 
Wins/Winbind that I should be able to have the single point password 
changing option occur from the Windows desktop.  I am now re-reading 
sections of my copy of the Definitive Guide to Samba 3 which should help me 
(although it was published before Vista and 7, which all my workstations are 

Also thanks to some for the suggestions of using ClearOS or Webmin.  I do 
have Webmin installed and use it for some of my administrative functions. 
So if I do try playing around with OpenLDAP I will certainly see if it will 
reduce my learning curve on getting it setup properly.  With the new gateway 
box that I mentioned above, I have been planning on installing ClearOS on 
it, so I will take a look at how it might be used to learn about using LDAP. 
Although I was thinking to have this box function more strictly as a gateway 
than providing services to the internal lan.