LinuxSA Mailing list archives

  From: mtippett@ticons.com.au
  To  : Alex Garner <alex@garner.cx>
  Date: Wed, 30 Jun 1999 16:54:02 +0930 (CST)

Re: Linux Users IDs and NT

> Wander over to your /usr/doc/samba-xxx directory (if you rpm'ed it), or
> even better look at the docs that come with the tar ball. There are a whole
> lot of .txt docs and they all answer your questions in much detail (from
> memory). You'll have to do a lot of reading and wading, but I recommend you
> do anyway, because it gives you an insight into how powerful and cool samba
> really is.

Been there done that.  There is a really cool document that covers everthing
about joining a domain... That is going fine.  It mentions that one of the
shortcomings is that there is no easy way to synchronise the unix usernames
that are used for file ownership/permissions on the samba server to those on
the NT server.  It does say that the author (Jeremy Allison - IIRC) has been
playing with some ideas on the autogeneration of usernames under unix under
the control of NT.

> I believe there is actually a way you can just get samba to auth from an NT
> domain controller, but don't quote me on that.
> synchronise the unix usernames

I am already doing that...  To describe in a diagram the way things are done.


        ---------------->       ----- Auth
Client  ====  Linux      NT     ===== File
                <--------

The way things work (roughly) is that the client opens a file service on
the Linux box.  Authentication is passed back to the NT domain controller.
If the auth is valid the connection is allowed and the data is written
to disk *AS THE AUTHENTICATED USER*.   Hence a mapping of NT usernames to
userids must be managed.  The user *must* have a userid that files can
be written under on the Linux box.

Now since the accounts are managed on the NT system we have to keep Linux
synchronised with the NT box.  So the three apparent options are...

	1) On the fly creation - if the account doesn't exist create it
		within samba.

	2) Manual management - Always manage it on both systems.  Bleark!

	3) Synchronise on occasions - When an account is created trigger
		the synchronisation of the accounts on the Linux box.

Of these 1 and 3 are the most suitable.  3 is the option that gives you
most control.  1 is the easiest to manage.

Now we have a solution :).

I did get an email from jerry@eng.auburn.edu, who gave me the following 
information.  This is precisely what I want.  All I need to do now is get
the administrators to run a small batch program to dump the group and user
lists on the Linux Server which can be configured to synchronise whenever 
the file changes.

Thanks all for your help.

======================================
Matt,

I wrote three Perl scripts to illustrate this for a chapter in 
min and Richard's book (chapter 12).  You can download the 
latest version of these via FTP from
        ftp.eng.auburn.edu/pub/cartegw/samba/domain_member_scripts.tar.gz

Let me know if you find them useful or have suggestions 
for improvement.

Cheers,
jerry
======================================

Cheers, and thanks again...

Matt

-- 
+----[ Matthew Tippett    +61 416 006 047    mtippett@ticons.com.au ]----+
| Tippett Information Consulting Pty Ltd  ]-[  http://www.ticons.com.au/ |
+-----[ Linux and Open Source Development, Consulting and Support ]------+

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject