[wplug] Re: nis authentication via samba
Jeffry D. Woods
jdwoods at attbi.com
Mon Jan 28 20:24:50 EST 2002
For setting up Samba on Linux to work you don't really need NIS, that's another
added service that you have to secure. Setting up samba is pretty easy for windows
client connections, and all you really need is samba running with a few little
system tweaks. Current setup I use is as follows, and it is working with around 35
windows workstations (I did change some of this to not give up my network, it's
firewalled and nat'd, but why take unnecessary chances) but this is enough info to
get up and running:
1.)
First I set samba up with the following in /etc/samba/smb.conf
[global]
printing = bsd
workgroup = WORKGROUP
load printers = yes
log file = /var/log/samba/samba-log.%m
lock directory = /var/lock/samba
interfaces = 10.10.10.1/24 //class c block.
allow hosts = 10.10.10. 127. // need both of these - local is
needed.
preferred master = yes
encrypt passwords = no
name resolve order = lmhosts bcast wins // needed in this order
max log size = 50
debug level = 1
The rest can be set as you see fit for the type of connections you are going to
use, this is a sample one:
[photos]
comment = Photo Storage Area
path = /local/photos
preserve case = yes
read only = yes
write list = @photos
force group = photos
force create mode = 764
force directory mode = 775
short preserve case = yes
create mode = 0765
valid users = @photos
2.)
Next in /etc/samba/lmhosts, list the IP, name (fully qualified), and netbios name
of all your workstations as follows:
10.10.10.10 crazy.some.dom crazy
3.)
Next unshadow your password file with pwunconv, and copy /etc/passwd to
/etc/passwd.save (for safty). Add a line for each workstation as follows:
crazy:x:631:99:Jeff's Workstation:/dev/null:/bin/false
Explanation, "crazy" is the workstation name, "x" is where the shadowed password
is going to be, "631" is a user number I gave to it or you can start that as the
next user or make your own number up, "99" is the group 'nobody', "Jeff's
Workstation" is just a description sort of like a real users name for the account,
"/dev/null" is just in case a real person tries to log into this account (they go
nowhere), and "/bin/false" would be the log in shell such as bash. You will get a
handle on this when you see the password file. Also, make sure that "false" is in
the /bin directory, most distro's do have it there (ie this is RH 7.1). After you
edit /etc/passwd make sure you re-shadow it, pwconv. The give that account a
password, ie "passwd crazy", I picked one password for all workstations.
4.)
Next in /etc/group, make the group and give it an unused group number as follows:
photos:x:511:crazy
You are pretty much done with the server now. In the directory you choose, this
case /local, make the directory you named, this case again "/local/photos". Then
restart samba, /etc/rc.d/init.d/smb restart.
Next is the windows clients. Use Client for Microsoft Networks. The user name in
this case will be "crazy", and the password will be whatever you made it on the
server end. I set windows up with plain text passwords to do this login, much
easier and smoother to do this way. On the Linux box, you will find registry
entries that will help you with this as follows:
/usr/share/doc/samba-2.0.10/docs/NT4_PlainPassword.reg
/usr/share/doc/samba-2.0.10/docs/Win2000_PlainPassword.reg
/usr/share/doc/samba-2.0.10/docs/Win95_PlainPassword.reg
/usr/share/doc/samba-2.0.10/docs/Win98_PlainPassword.reg
Use which ever on fits, it's self explanatory here. I also think there's one
called Win9x_PlainPassword.reg, this is for ME in case you are using it. The one
for 2000 also works for XP. Get the file you need, double click it, reboot the
windoz box, and you're in.
Mapping the drive, right click My Computer, Map network drive, make it any letter
you want and in the path "\\servername\photos", and you have a connection. There's
some work involved here, it's a workstation connection, every time you start the
win box your automatically connected, and there's no extra services to secure on
the server.
Hope this helps,
Jeff
>
> currently i have it set up using the smbpasswd file, the default i believe.
> i'm not quite sure what i would have to change to get it to use either nis or
> the unix passwd file. i dont even know if this is possible. does the unix
> crypt return the same thing nt does when it encrypts the password for
> validation?
>
> --
> john
> "have algorithm-will travel"
>
> --__--__--
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
> End of wplug Digest
More information about the wplug
mailing list