Blog / News

Monthly Archives: September 2004

Posted on by Chris

PaperCut Tip of the Month – Sep 04

One of our customers suggested that I my blog to write about using PaperCut. I’ve decided to write a Tip of the Month article every 4 weeks to highlight some of PaperCut’s “hidden” features.

This month I’ll talk about of the new features in Version 5.0. All existing PaperCut users would be aware of PaperCut’s automatic account creation rules. These helps streamline user management by automatically configurating new user accounts within PaperCut. There is still however a need to synchronize PaperCut’s user list with the users listed in Active Directory or the Domain. This is usually done manually via the “TuneUp” button. Version 5 now introduces a command-line script to automate this task. The script is located under:

C:/Program Files/PaperCut/Scripts/addnewusers.bat

Network administrators can now set this script to run automatically via the Windows Task Scheduler or out of other system maintenance scripts. Many large organizations use scripts to create user accounts. You can now incorporate this command into such scripts so PaperCut is instantly notified of the new users. This new feature brings PaperCut one-step closer to our “zero administration” goal.

Posted in PaperCut Tips | Leave a comment


Posted on by Chris

PaperCut Quota 5.0 now out

We released PaperCut Quota version 5.0 last week. My previous log entry provides a good overview of some of the new features and future development plans.

News on the release spread fast. We received our first upgrade request only 2 hours after the final build was uploaded. We’ve had great feedback from the existing customers, with the enhanced web tools and Internet quota support getting much attention.

We’ve updated the product tour page to include an overview of the new features. This is a good place to start if you’re interested in a visual guide to the changes. Thanks to all the people provided feedback, ideas, and also to those that helped with testing.

Posted in Releases | Leave a comment


Posted on by Matt

Getting Samba to authenticate to a Windows Domain

Introduction

Samba is a tool most known for it’s ability to provide windows file sharing cababilities to linux/unix platforms. With very little effort you can set up a Samba file server which will cost you very little. If you had to go out and buy one of the Windows server editions you’d be up for at least a couple of thousand dollars in windows licenses.

In addition to basic file server, Samba actually join your Windows Domain, which allows it to authenticate users against your Window security infrastructure. There’s no need to synchronise user databased between systems, because Samba reads all this information directly from your domain controller(s). So restricting access to Samba shares to particular Windows users or groups is simply a matter of a little configuration.

This also opens the door for other applications running in your unix environment to authenticate against a Windows Domain. For example, authenticating users when accessing the internet through a Squid web proxy (but I’ll leave the configuration of that for another day…).

Installation

I’m not going to go into too much detail here, because installation is usually handled pretty well by most linux distributions. We user Debian Linux which automates most of the installation process. If you want to roll it your self grab it from the Samba download page and follow the very good documentation. If like us you use Debian just run:

# apt-get install samba winbind

Winbind is the part of samba that is responsible for for integrating windows authentication and the user database into unix.

NOTE: I’m assuming you’re using Samba 3.0.x, which has been out since Sept 2003, so there’s no good reason not to be running it. I’m using 3.0.7 because it provides the latest and greatest functionality to authenticate to a Windows domain… and fixes a couple of issues.

Configuration

Open up the Samba config file smb.conf, which on Debian is located /etc/samba.

First set the workgroup setting to the name of your windows domain, e.g.

workgroup = MYDOMAIN

To instruct Samba to use the domain for it’s user/group database you need to set the security settting as follows:

security = DOMAIN

To allow winbind to map windows users and groups into the unix world you need to instruct winbind which uid and gid ranges to use. Make sure these don’t overlap with entries in your /etc/passwd and /etc/group files. Add entries like the following:

idmap uid = 10000-20000
idmap gid = 10000-20000

And by setting the following you won’t have to prefix your usernames with the domain (i.e. MYDOMAINuser) from within unix, because the default domain will be assumed by default.

winbind use default domain = Yes

Then save your changes to smb.conf.

Joining the Domain

Before you restart your Samba daemons for the changes to take effect, you need to do the following to join your Samba machine to the windows domain. You’ll probably need to be running as root. The username/password you specify here is a Admin user on your windows domains that has permission to add machines to the domain.

# net rpc join -UAdministrator%'password'
Joined domain MYDOMAIN.

Now you can (re)start your sambe service (smbd, nmbd, winbind). On Debian do:

# /etc/init.d/samba restart
Stopping Samba daemons: nmdb smbd.
Starting Samba daemons: nmdb smbd.
# /etc/init.d/winbind restart
Restarting the Winbind daemon: winbindd.

Now you have to tell your system to use winbind in addition to the standard files (/etc/passwd and /etc/group) as a user/group database. To do this edit /etc/nsswitch.conf as follows:

passwd: files winbind
group:  files winbind
hosts:  files dns winbind

And then we need to tell winbind what user to use when initiating sessions to your domain controller. To do this (using an admin user on your domain):

# wbinfo --set-auth-user=Administrator%password

Testing it all

And finally we should be able to test that all the above works ….

# wbinfo -u
MYDOMAINAdministrator
MYDOMAINGuest
MYDOMAINmatt
... remainder of domain users ...

If you got a list of users from your domain then we’re cooking with gas! wbinfo -g will give you a list of all your domain groups.

To check that winbind is doing it’s job you should be able to query the unix user database and find users from your windows domain, like below:

# getent passwd Administrator
Administrator:x:10000:10000::/home/MYDOMAIN/Administrator:/bin/false

Woohoo … it’s working. Winbind is authenticating to the windows domain. More later on useful ways on how to make use of this.

Posted in General | 1 Comment


Blog Categories & Archives