This is the preliminary outline for a scheme, using CIFS and LDAP, that provides unified authentication and token management for a heterogeneous network. It can be used with all Windows clients, Samba servers, and any Unix flavors which fully support PAM and NSS. A port of Linux-PAM is preferred if available; Solaris PAM lacks features which are needed for some of the finer points of the design, but this only affects password changing. The following components are needed: server-side * 1 PDC (primary domain controller): Samba or NT * 0 or more BDCs (backup controller) * 1 or more LDAP servers, with replication. The LDAP servers don't need to be the same machines as the domain controllers, but this may be advantageous: since both services need to be available for the system to work properly, there might as well be a single point of failure. This becomes less important if replication is introduced into the system. client-side * Windows clients * Unix systems with PAM support and the pam_ntdom module, and also * NSS support w/ the nss_ldap module. I'm not certain whether Samba's BDC replication support is mature enough to use Samba as both PDC and BDC for a domain. We will assume here that Samba satisfies the needs for domain control in our sample case. Setting up Samba as a PDC is covered in the Samba NT domain FAQ on the samba.org website. Configuring an LDAP server is left as an exercise to the reader, and/or any documentation you can find yourselves; I have no experience in this regard. :) Note that, because all passwords are stored in the smbpasswd database rather than in the LDAP backend, LDAP-over-SSL is not strictly necessary, as the information it contains is no more sensitive than the /etc/passwd file on a shadowed system. The only cause for concern is if you want to use non-local access methods to update user entries in the directory, in which some sort of encrypted tunneling would be appropriate. Once the LDAP directory has been configured and populated with passwordless entries, you can configure the Samba server to use nss_ldap. Note that Samba will *not* authenticate users in the smbpasswd db unless they first exist in the /etc/passwd file. This is a deliberate design decision, intended to ensure that Samba always respects the Unix security model. To configure NSS on the PDC, add the following lines to /etc/nsswitch.conf (or equivalent): passwd: db files ldap shadow: db files Note that this config gives precedence to entries stored in local files. This makes it possible to designate 'local' users, whose accounts will still be usable even when the LDAP server is compromised or becomes inaccessible. Here, LDAP is not consulted for shadow file entries. This could be done if the administrator wishes to store information about account expiration, but the LDAP server should NEVER be populated with passwords. When the machine acting as the PDC has been properly configured with NSS, you can begin adding users to the smbpasswd database using the command 'smbpasswd -a '. This assumes a small preëxisting userbase; if adding users one at a time and distributing new passwords as the accounts are created is /not/ a viable option, you may need to take additional steps to import your existing database. After the PDC has been configured and accounts have been added, you'll want to configure PAM on the PDC itself so that local Unix services use the smbpasswd db for authentication. A simple pam config serving this purpose would look like: auth sufficient /lib/security/pam_unix_auth.so auth required /lib/security/pam_smbpass.so pam_smbpass (or pam_ntdom; see below) must be added to the PAM configuration for all services that expect password-based authentication. This module is available from ftp://ftp.netexpress.net/pub/pam/ Other machines on the network will need to use an NSS configuration like the one specified for the PDC. The PAM configuration will be similar, but not identical; instead of pam_smbpass, which operates in a local context, pam_ntdom should be used. auth sufficient /lib/security/pam_unix_auth.so auth required /lib/security/pam_ntdom_auth.so Source code and documentation for the pam_ntdom module is available from http://mailhost.cb1.com/~lkcl/pam-ntdom/ Password management ------------------- (To be continued...)