[BBLISA] CentOS/RH 5 Samba as PDC+NIS w/o LDAP?

Dean Anderson dean at av8.com
Tue Aug 28 16:02:50 EDT 2007 

On Mon, 27 Aug 2007, Scott Ehrlich wrote:

> For those who are new or forget - I have a RHEL 5 Server and a few dualboot XP 
> w/SP2 and CentOS 5 systems.  The Linux machines were installed straight of 
> CD/DVD, no patches.
> 
> I was initially going to try a single sign-on to the RH 5 box via LDAP, but RH 
> says it simply isn't possible and I don't know my way around LDAP other than it 
> is a database and exists.

If you want single signon to windows boxes, you have to have a domain
controller. I haven't run this software in a bit, but I think the linux
PDC stuff that goes along with SMB (SMB is really the file sharing
protocol) linux/unix suite can use multiple sources for
username/password information, including LDAP.  LDAP is just the store
(lightweight X.500 directory access) to information.  Access to that
information is authenticated and acl'ed, so other applications use LDAP
as an authentication service. But LDAP is not really meant to be an
authentication service, though.  Its just a side effect of having the
user account information also stored in LDAP and the capability to
verify usernames and passwords.

> So, option 2 is to simply have the RH 5 Server act as a Windows PDC
> via Samba and use NIS to enable users to log in, all the while, in
> either situation, having the RH 5 box serve out the user's central
> home directory - mounted as a drive letter under Windows, or exported
> under Linux.

Linux makes a crappy NFS fileserver. I'm not sure it makes a good SMB
fileserver either, but few people ever seem to care about SMB
performance. They are thrilled enough to be able to get rid of their
windows fileservers.

You have basically two problems to solve with single signon: the problem
for windows and the problem for linux/unix/mac.  You want a single
source for both platforms.

You've figured out the linux/unix SMB/PDC software for windows, mostly,
I think. That gets you access to remote files and signon for windows.  
I think you have some options as to where the linux/unix SMB software
gets its usernames and passwords. If I recall, that can still be an LDAP
store. You'll have to research that, tho.

As you discovered, Windows won't use LDAP directly.  Actually, the
windows PDC does have its own LDAP server, but replacing this is tricky.  
Don't bother. Using the windows LDAP PDC server for other purposes has
also been dubious, in my view.  Get an LDAP server running on
linux/unix.

The next step is providing remote files and signon for linux/unix/mac
platforms.  I suggest you get a solaris/bsd box for NFS and make that
your fileserver. You can run SMB fileservice off of that. You can still,
if you like, make your RH box your PDC, backed by LDAP if you like. I'd
stay away from NIS--its terribly insecure.  We used it back in the 80's
and 90's when we didn't know any better.  NIS+ is kerberosV-based, but
kind of clunky. Your Linux/Unix/BSD boxes that use PAM authentication
modules will be able to authenticate against your LDAP store and a
variety of other sources.  LDAP could still be useful.  Of course, you
can also authenticate against a master passwd file somewhere, too.  You
just need a source that both your linux PDC software, and your
linux/unix pam modules will all support.

Hope that helps.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the bblisa mailing list