CentOS/RH 5 Samba as PDC+NIS w/o LDAP?

[me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org (Matthew Gillen)]

Scott Ehrlich wrote:
> I was initially going to try a single sign-on to the RH 5 box via LDAP,
> but RH says it simply isn't possible and I don't know my way around LDAP
> other than it is a database and exists.

It /is/ possible, but it's awfully painful.

> So, option 2 is to simply have the RH 5 Server act as a Windows PDC via
> Samba and use NIS to enable users to log in, all the while, in either
> situation, having the RH 5 box serve out the user's central home
> directory - mounted as a drive letter under Windows, or exported under
> Linux.
> 
> I've spent much of last week and much of today [trying to learn] LDAP,
> and today, finally deciding to dump that, but proceeding with Samba as a
> PDC.

You're probably right to start with the simpler configuration of having 2
user databases (linux and windows usernames are the same, and map to the
same uid, but the passwords may be different).  The LDAP config required
some really strange stuff, like obscure DNS entries that mapped to my samba
server.

> For Samba as a PDC - what is the best way to have Win XP Pro w/SP2
> successfully authenticate to Samba as a domain controller with encyrpted
> passwords?  And, to have Samba establish the user's home directory as a
> mapped drive?  I've used a barrage of web sites showing various smb.conf
> confing files but can't yet get my test XP machine to authenticate to
> the domain I set in my smb.conf file.

>From what I remember, you need to create the machine accounts, and the
minimal configuration from here:
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id329681

(the netlogon share is important; I created a [profile] share too, but I
don't think it's strictly necessary)

Also, you'll want to tell samba to be the WINS server.  After you set up the
server (and the client-machine account on the server), go through the "join
a domain" wizard on the WinXP box.  You'll need to reboot the XP box after
this wizard.

> For NIS - what is the best way to permit the user to log into their
> account, created on RH 5 server, and have their home directory exported
> to their workstation?

That one's easy: use the automounter.  Assuming you've already set up the
rest of the NIS server [1] and the NFS share for /home [2], go to /var/yp/
and edit the Makefile there.  Look for the 'all' target.  You can comment
out some the things there.  For instance, I only use these:
 all:  passwd group rpc services netid protocols mail \
      netgrp auto.master auto.home hosts

Create /etc/auto.home to look like this:
 # Auto.home
 *       nfsserverName:/home/&

Then type 'make' in /var/yp, and 'service ypserv restart', and you're done.
 Assuming the clients were setup using redhat's tools to make them NIS
clients, the autofs service will get the new configuration automatically
(you may need to restart a few services, safer to reboot the clients to get
the changes unless you know the right order to restart the services in).
(note the the ampersand means it's an indirect map, which is a little
different than your normal NFS share as you'll see...)

> I presume there will be no problem with users simultaneously logging
> into multiple workstations, be it Linux or Windows?

No problem, unless the user-level apps conflict (ie Firefox locks the
profile so only one linux instance can work at a time, firefox in windows
one depends on the configuration; ie by default).

> I only bother the list because I have scoured so many web sites, some
> with a variety of options, I believe I'll get the best answer here.

If you try the above and have a more specific problem with the WinXp stuff,
feel free to ask again.  A detailed problem description might jog my memory ;-)

Good luck,
Matt

[1] This is the only page you need for the NIS server config:
http://tldp.org/HOWTO/NIS-HOWTO/ypserv.html
[2] there's a redhat/system-config-nfs gui for setting up the /home NFS dir,
or http://tldp.org/HOWTO/NFS-HOWTO/server.html if you want to do it by hand



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.