Samba as a PDC question

Hi everyone,

I want to run RH 9.0 as a Samba PDC in a (50 user) all windows XP Pro.
network. I would like Samba to do the following:

1. Provide *logon* authentication for the users. If they don't
authenticate then I don't want them to be able to log onto the system.

2. Is there a way with Samba to control if a user can install software?
Kinda like with a Windows domain, if you are a *user* the you can't install
software. However, if you are a *power user* you can. I don't want just
anyone to be able to make changes to their systems.

I know I can do it in the registry but I am looking for a *central* way to
do it. Besides, the user can just run regedit and undo my changes.

Thanks for any input.


Clay

Sorry for all the re-post everyone. There was a BIG delay before my posts
showed up. I thought maybe they were not getting to the server at all.
Again, sorry.

Clay


"Clayton Sutton" <noreply@noreply.com> wrote in message
news:vp727e9rlero47@corp.supernews.com...
> Hi everyone,
>
> I want to run RH 9.0 as a Samba PDC in a (50 user) all windows XP Pro.
> network. I would like Samba to do the following:
>
> 1. Provide *logon* authentication for the users. If they don't
> authenticate then I don't want them to be able to log onto the system.
>
> 2. Is there a way with Samba to control if a user can install software?
> Kinda like with a Windows domain, if you are a *user* the you can't
install
> software. However, if you are a *power user* you can. I don't want just
> anyone to be able to make changes to their systems.
>
> I know I can do it in the registry but I am looking for a *central* way to
> do it. Besides, the user can just run regedit and undo my changes.
>
> Thanks for any input.
>
>
> Clay
>
>
>

In article <vp727e9rlero47@corp.supernews.com>,
"Clayton Sutton" <noreply@noreply.com> writes:
>
> I want to run RH 9.0 as a Samba PDC in a (50 user) all windows XP Pro.
> network. I would like Samba to do the following:
>
> 1. Provide *logon* authentication for the users. If they don't
> authenticate then I don't want them to be able to log onto the system.

This should be the way it works, at least to a first approximation. There
are some important caveats, though:

- You've got to configure the WinXP systems to be members of the domain.
- I'm not sure about WinXP Pro, but with Win2K, it's possible for users
to log on using a local user database instead of the domain database,
just by changing the domain on the logon screen. This shouldn't be a big
deal *IF* users don't have locally-defined accounts.
- Anybody with physical access to the computer can run recovery tools or
the like to reconfigure it. Of course, if you're worried about this sort
of thing, you're talking about a level of security that requires hiring
a security expert to manage things.

> 2. Is there a way with Samba to control if a user can install software?
> Kinda like with a Windows domain, if you are a *user* the you can't install
> software. However, if you are a *power user* you can. I don't want just
> anyone to be able to make changes to their systems.

You should be able to do this by putting users in the appropriate group
(Users vs. Power Users). Doing this will require setting up an appropriate
group mapping, which you can do with the "net groupmap" command (check the
"net" manpage).

--
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking

>> 1. Provide *logon* authentication for the users. If they don't
>> authenticate then I don't want them to be able to log onto the
>> system.
>
> This should be the way it works, at least to a first approximation.
> There are some important caveats, though:
>
> - You've got to configure the WinXP systems to be members of the
> domain.

We have been using samba as a PDC on a Windows 2000 network, and it's
working quite well. There's an odd little process you have to follow to
join the domain: make sure each Windows XP system joins the domain, then
users can log in from any one of these.

>- I'm not sure about WinXP Pro, but with Win2K, it's possible
> for users to log on using a local user database instead of the domain

I think a solution for this is to automatically delete the roaming profiles
on the Windows systems. Under 2000, I used the group policy editor
(gpedit.msc command); there was an option somewhere in there to 'delete
local copies of roaming profiles' or something to that effect. Make sure
you switch that on!

--
Jem Berkes
http://www.sysdesign.ca/

Go to ibm.com and search for "samba as a pdc" it will give you step by step
instructions on how to set up your redhat box as a PDC, it is awsome, I can
run a PDC in an old computer and still have a great response.
I am not sure they give you details on the user permissions in depth, but it
is a great tutorial.
If you find any tutorials on user account permissions and details, post them
here.

Thanks
"Clayton Sutton" <noreply@noreply.com> wrote in message
news:vp727e9rlero47@corp.supernews.com...
> Hi everyone,
>
> I want to run RH 9.0 as a Samba PDC in a (50 user) all windows XP Pro.
> network. I would like Samba to do the following:
>
> 1. Provide *logon* authentication for the users. If they don't
> authenticate then I don't want them to be able to log onto the system.
>
> 2. Is there a way with Samba to control if a user can install software?
> Kinda like with a Windows domain, if you are a *user* the you can't
install
> software. However, if you are a *power user* you can. I don't want just
> anyone to be able to make changes to their systems.
>
> I know I can do it in the registry but I am looking for a *central* way to
> do it. Besides, the user can just run regedit and undo my changes.
>
> Thanks for any input.
>
>
> Clay
>
>
>