Samba as a PDC (was Re: [expert] Password issues)
I suspect you might run ito problems if you don't research this a bit more. Running a windows NT domain with linux/samba has some advantages, but there are some issues you need to be aware of. 1)Samba can only use the users unix password if you are not using encrypted passwords in Windows NT etc. In recent versions of Windows, encrypted passwords are the default, but that can be changed with a reg hack (available in the samba doc that ship with the rpm). 2)Unfortunately, you can not change to unencrypted passwords if you are going to run a domain. This is a "feature" of Windows. 3)Samba has no support for PDC/BDC relationships or interdomain trust. This will be a long time in coming, although some features are available in samba-tng. 4)There are issues with joining win2k clients to the domain. You will need to run the current CVS version if you need to add win2k clients. OK, now for the good news 1)Since the smbpasswd is not checked as well as the unix password, you are ok on migrating the passwords. Note that there are actually scipts for doing the whole process that come with samba. 2)Even though samba does not use the unix password when in a domain, you can authenticate unix services off the samba password database. My suggestion to you would be to keep your PDC/BDC, but just move all your services off to the linux boxes. I use pam-smb (I am wanting to get authentication of uw-imap working, but am having trouble) for pam-enabled services, and can currently login to the linux boxes with my windows password. For squid, the auth-smb module works fine. File and print services with samba are quite good (getting better in samba 2.2.0cvs), as long as you join your linux boxes to the domain. You might want to susbscibe to the samba-ntdom mailing list, where the samba/NT domain integration pros hang out. See the samba website for details. (http://www.samba.org) We actually run a samba 2.0.7 machine as PDC, mainly because of the cost of licenses for all the machine we would have to run (servers and clients). If you can afford to have an NT machine as PDC, and you availability is sufficient, stick with that. Regards, Buchan Jorge Ramírez Llaca wrote: > > I'm in the process of migrating all my NT servers to Linux Mandrake 7.2 > > Currently, there's a PDC holding all the user's network folders and a couple > of SDC's running a variety of services, including IMAP, SMTP, LDAP, web > cache, printing, etc. > > All my users authenticate against the NT domain. So far I think i've got > this covered. I already cracked all my users passwords (using l0phtcrack > 2.52). Right now I'm in the process of writing a couple of migration scripts > that will add the users, first to Linux and then to Samba 2.07, then move > all the files from the NT file server to the Mandrake server and finally > their mailboxes to a second Mandrake server. After taking the the NT PDC > offline I'll reconfigure Samba to act as a PDC on the file server and as a > SDC on the mail server. > > If all goes well, my users won't notice the change. Or at least that's my > goal,a completely transparent migration experience (at least for them). > > My problem is that some of my users have very weak passwords and Mandrake > won't allow them. I intend to address that issue sometime soon but I need to > migrate them ASAP. So the question is: How do I instruct Mandrake to accept > whaterver silly thing the users have chosen as their password. > > Can anyone help me please? -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 808 2497 Stellenbosch Automotive Engineering http://www.cae.co.za
Re: [expert] Password issues
> > >>> This is a good point. I don't think Samba supports pam.d rejection of >>> passwords and since I'll be using password synchronization this is really >>> important. I guess I'll just have to live with weak passwords untill a >>> better solution comes my way. >>> Has anyone tried to do something like this? >> We regularly have to set up student accounts for our Linux network using some rediculous;y simple passwords the College computer services assigns to each students (we do try to make them change the passwords as sson as possible). You seem to be in a similar situation. Our solution is to modify the /etc/password or /etc/shadow files directly (well, in our case really some files used by NIS to create the maps). Our perl scripts simply encrypt those passwords and writes the complete user information to those files. It then creates one of our standardized home directories customizing the preference file appropriately. Andreas -- Prof. Dr. Andreas J. Guelzow Chair of Science Concordia University College of Alberta http://www.math.concordia.ab.ca/aguelzow
Re: [expert] Password issues
he wanted to create them by porting from NT and by automation. This incidentally would be a major step to making linux be adoptable in the workplace large or small. Not everyone is going to want to try and sell something to skeptical windows users that says 'password insecure' and makes them type something in. That confuses people. That makes skeptical people mock the new and the different. If you're in this guys position you want it done and set up so nobody can complain. And there you are offering command line manual input. And what if his company is small now, it still rocks to have automation, because he might have to do this again some day. Dude, put your linux desktop hat away (the red one) and put on your intelligent systems admin hat. I think they are starting to make one without daemon horns but I am not sure. On Fri, 26 Jan 2001, marsden wrote: > Date: Fri, 26 Jan 2001 14:45:51 -0800 > From: marsden <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: [expert] Password issues > > At 03:34 PM 1/26/01 -0600, you wrote: > >This is a good point. I don't think Samba supports pam.d rejection of > >passwords and since I'll be using password synchronization this is really > >important. I guess I'll just have to live with weak passwords untill a > >better solution comes my way. > >Has anyone tried to do something like this? > > Sir > How many passwords/users are you considering? You can set up users and > their passwords via the commandline, and while Linux will complain, at > least both RedHat and Mandrake 7.1 will allow you to *use* a silly > password. Once you see "password authenticated" it has been setup, > regardless of how easy it is to crack. > > Our company is small enough that we set up less than 1 user a month, so I > simply input the info on the command line instead of using the gui provided > by Mandrake. > > Anybody else have any brilliant ideas? > > But do, please, bug them to update their passwords. > > Marsden > >
Re: [expert] Password issues
On Friday 26 January 2001 21:20, you wrote: > I'm in the process of migrating all my NT servers to Linux Mandrake 7.2 > > Currently, there's a PDC holding all the user's network folders and a > couple of SDC's running a variety of services, including IMAP, SMTP, LDAP, > web cache, printing, etc. > > All my users authenticate against the NT domain. So far I think i've got > this covered. I already cracked all my users passwords (using l0phtcrack > 2.52). Right now I'm in the process of writing a couple of migration > scripts that will add the users, first to Linux and then to Samba 2.07, > then move all the files from the NT file server to the Mandrake server and > finally their mailboxes to a second Mandrake server. After taking the the > NT PDC offline I'll reconfigure Samba to act as a PDC on the file server > and as a SDC on the mail server. > > If all goes well, my users won't notice the change. Or at least that's my > goal,a completely transparent migration experience (at least for them). > > My problem is that some of my users have very weak passwords and Mandrake > won't allow them. I intend to address that issue sometime soon but I need > to migrate them ASAP. So the question is: How do I instruct Mandrake to > accept whaterver silly thing the users have chosen as their password. > > Can anyone help me please? This _might_ work Lower the security to 'Poor" and move to kernel 2.2.17-21mdk Migrate the passwords Raise the security to 'High' and switch to kernel-secure 2.2.18 This _will_ work Alternatively, though it is a pain in the neck, use linuxconf on 6.1 which will complain but accept the password anyway, then copy /etc/passwd over to your system. Civileme
Re: [expert] Password issues
Go to /etc/pam.d/passwd and comment out the line: password required /lib/security/pam_cracklib.so retry=3 This should stop the checking against cracklib. On Fri, 26 Jan 2001, Jorge Ramírez Llaca wrote: - Thanks for your support but my real problem is Linux's password policy that - won't allow but only 5% of my users passwords. I need to lower the security - so it doesn't complaint about how terrible they are and rejects them. - Asking the users to change their passwords is really out of the question - right now because of the time frame in which I have to do this. You see, - most of my users are on vacation right now so they are not available. - - - Original Message - - From: "D. Stark - eSN" <[EMAIL PROTECTED]> - To: <[EMAIL PROTECTED]> - Sent: Friday, January 26, 2001 2:34 PM - Subject: RE: [expert] Password issues - - - > I can offer you no advice per se, but I applaud your moxy. Good luck. - > Hey...let me think. In bash, maybe try something like this? - > - > for account in users.file - > do - > $userName = (awk statement) - > $passWord = (awk statement) - > - > useradd $userName -s /dev/null - > echo $passWord | passwd --stdin $userName - > - > done - > - > I know lots is missing, but it might be a start. Or, just tell them all - that - > they compromise company security and need to fix it, dammit. : ) - > - > Derek Stark - > IT / Linux Admin - > eSupportNow - > xt 8952 - > - > -Original Message- - > From: [EMAIL PROTECTED] - > [mailto:[EMAIL PROTECTED]]On Behalf Of Jorge Ramírez Llaca - > Sent: Friday, January 26, 2001 3:21 PM - > To: [EMAIL PROTECTED] - > Subject: [expert] Password issues - > - > - > I'm in the process of migrating all my NT servers to Linux Mandrake 7.2 - > - > Currently, there's a PDC holding all the user's network folders and a - couple - > of SDC's running a variety of services, including IMAP, SMTP, LDAP, web - > cache, printing, etc. - > - > All my users authenticate against the NT domain. So far I think i've got - > this covered. I already cracked all my users passwords (using l0phtcrack - > 2.52). Right now I'm in the process of writing a couple of migration - scripts - > that will add the users, first to Linux and then to Samba 2.07, then move - > all the files from the NT file server to the Mandrake server and finally - > their mailboxes to a second Mandrake server. After taking the the NT PDC - > offline I'll reconfigure Samba to act as a PDC on the file server and as a - > SDC on the mail server. - > - > If all goes well, my users won't notice the change. Or at least that's my - > goal,a completely transparent migration experience (at least for them). - > - > My problem is that some of my users have very weak passwords and Mandrake - > won't allow them. I intend to address that issue sometime soon but I need - to - > migrate them ASAP. So the question is: How do I instruct Mandrake to - accept - > whaterver silly thing the users have chosen as their password. - > - > Can anyone help me please? - > - > - > - > - > - - - -- --Stephen Carville http://www.heronforge.net/~stephen/gnupgkey.txt == All religions are equally vile. What the Aztecs did with people's hearts, Judaeo-Christianity does with their minds. L. Neil Smith ==
Re: [expert] Password issues
Ah forgot to ask - whats PDC and SDC oris tha M$ terminolgy for file/application servers BillK > Currently, there's a PDC holding all the user's network folders and a couple > of SDC's running a variety of services, including IMAP, SMTP, LDAP, web > cache, printing, etc.
Re: [expert] Password issues
At 05:10 PM 1/26/01 -0600, you wrote: >We are talking ~900 users... and I finally got it working. >Thanks a lot to all of you who shared your thoughts on this matter. >When everything is in place and working smoothly I'll setup a web page with >detailed instructions for all those interested in migrating their server >infraestructure from NT to Linux. 900 users! Oh gosh, I'm glad you figured out a better way to do it. I'll look forward to seeing your instructions. Thanks Marsden
Re: [expert] Password issues
We are talking ~900 users... and I finally got it working. Thanks a lot to all of you who shared your thoughts on this matter. When everything is in place and working smoothly I'll setup a web page with detailed instructions for all those interested in migrating their server infraestructure from NT to Linux. - Original Message - From: "marsden" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 26, 2001 4:45 PM Subject: Re: [expert] Password issues > At 03:34 PM 1/26/01 -0600, you wrote: > >This is a good point. I don't think Samba supports pam.d rejection of > >passwords and since I'll be using password synchronization this is really > >important. I guess I'll just have to live with weak passwords untill a > >better solution comes my way. > >Has anyone tried to do something like this? > > Sir > How many passwords/users are you considering? You can set up users and > their passwords via the commandline, and while Linux will complain, at > least both RedHat and Mandrake 7.1 will allow you to *use* a silly > password. Once you see "password authenticated" it has been setup, > regardless of how easy it is to crack. > > Our company is small enough that we set up less than 1 user a month, so I > simply input the info on the command line instead of using the gui provided > by Mandrake. > > Anybody else have any brilliant ideas? > > But do, please, bug them to update their passwords. > > Marsden > >
Re: [expert] Password issues
At 03:34 PM 1/26/01 -0600, you wrote: >This is a good point. I don't think Samba supports pam.d rejection of >passwords and since I'll be using password synchronization this is really >important. I guess I'll just have to live with weak passwords untill a >better solution comes my way. >Has anyone tried to do something like this? Sir How many passwords/users are you considering? You can set up users and their passwords via the commandline, and while Linux will complain, at least both RedHat and Mandrake 7.1 will allow you to *use* a silly password. Once you see "password authenticated" it has been setup, regardless of how easy it is to crack. Our company is small enough that we set up less than 1 user a month, so I simply input the info on the command line instead of using the gui provided by Mandrake. Anybody else have any brilliant ideas? But do, please, bug them to update their passwords. Marsden
Re: [expert] Password issues
This is a good point. I don't think Samba supports pam.d rejection of passwords and since I'll be using password synchronization this is really important. I guess I'll just have to live with weak passwords untill a better solution comes my way. Has anyone tried to do something like this? - Original Message - From: "Anthony Moulen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 26, 2001 3:08 PM Subject: Re: [expert] Password issues > Perhaps you could remove the pam.d passwd requirement to use cracklib. I > would suggest you make a copy first of passwd entry in the pam.d folder, > then make your change, then try to set the password to some insecure. > > After you finish setting the passwords put the cracklib back in place, > then users should be informed that you want them to reset their passwords. > > They should now not be able to set the password to something against the > cracklib rules (this is assuming that the Samba integration supports > pam.d rejecting passwords). > > Good luck. > > > >
Re: [expert] Password issues
Perhaps you could remove the pam.d passwd requirement to use cracklib. I would suggest you make a copy first of passwd entry in the pam.d folder, then make your change, then try to set the password to some insecure. After you finish setting the passwords put the cracklib back in place, then users should be informed that you want them to reset their passwords. They should now not be able to set the password to something against the cracklib rules (this is assuming that the Samba integration supports pam.d rejecting passwords). Good luck.
Re: [expert] Password issues
Thanks for your support but my real problem is Linux's password policy that won't allow but only 5% of my users passwords. I need to lower the security so it doesn't complaint about how terrible they are and rejects them. Asking the users to change their passwords is really out of the question right now because of the time frame in which I have to do this. You see, most of my users are on vacation right now so they are not available. - Original Message - From: "D. Stark - eSN" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 26, 2001 2:34 PM Subject: RE: [expert] Password issues > I can offer you no advice per se, but I applaud your moxy. Good luck. > Hey...let me think. In bash, maybe try something like this? > > for account in users.file > do > $userName = (awk statement) > $passWord = (awk statement) > > useradd $userName -s /dev/null > echo $passWord | passwd --stdin $userName > > done > > I know lots is missing, but it might be a start. Or, just tell them all that > they compromise company security and need to fix it, dammit. : ) > > Derek Stark > IT / Linux Admin > eSupportNow > xt 8952 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Jorge Ramírez Llaca > Sent: Friday, January 26, 2001 3:21 PM > To: [EMAIL PROTECTED] > Subject: [expert] Password issues > > > I'm in the process of migrating all my NT servers to Linux Mandrake 7.2 > > Currently, there's a PDC holding all the user's network folders and a couple > of SDC's running a variety of services, including IMAP, SMTP, LDAP, web > cache, printing, etc. > > All my users authenticate against the NT domain. So far I think i've got > this covered. I already cracked all my users passwords (using l0phtcrack > 2.52). Right now I'm in the process of writing a couple of migration scripts > that will add the users, first to Linux and then to Samba 2.07, then move > all the files from the NT file server to the Mandrake server and finally > their mailboxes to a second Mandrake server. After taking the the NT PDC > offline I'll reconfigure Samba to act as a PDC on the file server and as a > SDC on the mail server. > > If all goes well, my users won't notice the change. Or at least that's my > goal,a completely transparent migration experience (at least for them). > > My problem is that some of my users have very weak passwords and Mandrake > won't allow them. I intend to address that issue sometime soon but I need to > migrate them ASAP. So the question is: How do I instruct Mandrake to accept > whaterver silly thing the users have chosen as their password. > > Can anyone help me please? > > > > >
RE: [expert] Password issues
I can offer you no advice per se, but I applaud your moxy. Good luck. Hey...let me think. In bash, maybe try something like this? for account in users.file do $userName = (awk statement) $passWord = (awk statement) useradd $userName -s /dev/null echo $passWord | passwd --stdin $userName done I know lots is missing, but it might be a start. Or, just tell them all that they compromise company security and need to fix it, dammit. : ) Derek Stark IT / Linux Admin eSupportNow xt 8952 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jorge Ramírez Llaca Sent: Friday, January 26, 2001 3:21 PM To: [EMAIL PROTECTED] Subject: [expert] Password issues I'm in the process of migrating all my NT servers to Linux Mandrake 7.2 Currently, there's a PDC holding all the user's network folders and a couple of SDC's running a variety of services, including IMAP, SMTP, LDAP, web cache, printing, etc. All my users authenticate against the NT domain. So far I think i've got this covered. I already cracked all my users passwords (using l0phtcrack 2.52). Right now I'm in the process of writing a couple of migration scripts that will add the users, first to Linux and then to Samba 2.07, then move all the files from the NT file server to the Mandrake server and finally their mailboxes to a second Mandrake server. After taking the the NT PDC offline I'll reconfigure Samba to act as a PDC on the file server and as a SDC on the mail server. If all goes well, my users won't notice the change. Or at least that's my goal,a completely transparent migration experience (at least for them). My problem is that some of my users have very weak passwords and Mandrake won't allow them. I intend to address that issue sometime soon but I need to migrate them ASAP. So the question is: How do I instruct Mandrake to accept whaterver silly thing the users have chosen as their password. Can anyone help me please?