topic Samba to prevent multiple logins? in Operating System - HP-UX

Samba to prevent multiple logins?

Fred Martin_1 — Wed, 06 Apr 2005 09:07:30 GMT

Every time I set up a user, I create a unix account for them, and create an NT account for them. NT for Windows file and print sharing, Unix for email and a unix database.

So users log in to the Windows network, which gives them access to NT file shares, an NT home directory, and Windows shared printers.

They use Eudora etc. to POP in to the Unix box for email.

Then, to access our primary database, they open a terminal emulator, and log in to unix to run the DB.

Can I use Samba to prevent having to maintain two sets of accounts, and so they don't need to login twice?

i.e. set them up in Unix but not NT?

And, once authenticated there, can the Unix box be in the same domain such that the NT shares are available to them without logging in again?

The O'Reilly Samba book says I can avoid NT CALs, is that true, or do I avoid CALs by sharing everything from unix disks?

If someone could touch on these points I'd appreciate it.

Re: Samba to prevent multiple logins?

Andrew Cowan — Thu, 07 Apr 2005 07:11:09 GMT

The latest versions of Samba can authenticate users from both a Microsoft domain or Active Directory. See:

http://bob.rasey.net/archives/000137.html

http://www.go-getters.com/index.php?p=26

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html

These sites should be enough to get you started.

Re: Samba to prevent multiple logins?

RAC_1 — Thu, 07 Apr 2005 07:23:35 GMT

Depending upon, how you have configured the smb.conf, you can authenticate users from wiondow$ PDC. Check the setting for security in global section.

For details on this setting, read sabba book.
http://www.oreilly.com/openbook

Re: Samba to prevent multiple logins?

Geoff Wild — Thu, 07 Apr 2005 08:35:59 GMT

Best to authenticate on Windows...

Here's the samba how to collection:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Use HP's cif server though:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

You need winbind running as well (add to /etc/nsswitch.conf:

passwd: files winbind
group: files winbind
hosts: files [NOTFOUND=CONTINUE] dns

You can make the samba server join the NT domain - you need someone with admin priviliges and password:

/opt/samba/bin/net rpc join -U administrator

Main things to put in smb.conf:

workgroup = YOURNTDOMAIN
security = DOMAIN
password server = YOURNTDC1, YOURNTDC2

winbind separator = +
winbind enum users = No
winbind enum groups = No
valid users = $YOURNTDOMAIN+AGROUP, bb, oracle, YOURNTDOMAIN+somentuserid

An example share:

[homes]
comment = Home Directories
path = /home/%U
valid users = YOURNTDOMAIN+somentuserid, YOURNTDOMAIN+somentuserid2, bb, oracle
browseable = No

NOTE: as of Samba 3 something...browsing is OFF by default - if you want browsing - then you have to add the IPC$ share:

[IPC$]
hosts allow = 192.168.2.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
valid users = bb, YOURNTDOMAIN+somentuserid, YOURNTDOMAIN+somentuserid2

Hope this helps.

Rgds...Geoff

Re: Samba to prevent multiple logins?

Fred Martin_1 — Fri, 08 Apr 2005 08:07:48 GMT

Thanks folks, I'm reading more of the O'Reilly text and getting some answers there. I'll also review your links.

I was hoping though that I could use the unix box as the 'master' i.e. set up accounts there, then have the unix box act as the PDC for windows, letting Windows users authenticate from the unix box.

This because they need to have a unix account for email anyway.

Is it just harder to configure with unix as the PDC, or is it somewhat broken when done that way?

Re: Samba to prevent multiple logins?

Geoff Wild — Fri, 08 Apr 2005 08:32:54 GMT

You can use Unix as PDC - I do that @ home with my Linux box.

As far as I remember - you need Unix account for each as well as setting up the smbpasswd for NT id's.

There are a lot of How to's - heres one:

http://www.hughesjr.com/content/view/24/2/Site_News

Rgds...Goeff

Re: Samba to prevent multiple logins?

Fred Martin_1 — Fri, 08 Apr 2005 08:35:28 GMT

Accckk. So I have to set up the account twice anyway? I was hoping to avoid that.

Re: Samba to prevent multiple logins?

Geoff Wild — Fri, 08 Apr 2005 08:51:06 GMT

Yes - 2 accounts - the unix one can be nologin - or false...but you need an Unix uid for each NT user.

Rgds...Geoff

Re: Samba to prevent multiple logins?

Fred Martin_1 — Fri, 08 Apr 2005 09:04:42 GMT

But the Windows account is set up on the unix box in an smbpasswd file, is it not? Could it be automated, in that every time I add or remove a user in SAM for unix, a script fires off to create the smb account for windows?