userKit NTscripts README

Author: Jonathan Abbey
Release: $name:  $
Version: $Revision: 1.5 $
Last Mod Date: $Date: 2001/01/26 23:51:33 $
--------------------------------------------------------------------------------

GanymedeRemote.pl is a Win32 Perl script which is designed to be
placed on a Windows NT Primary Domain Controller (PDC) and which
updates the Windows NT domain with account information from the
Ganymede server.

In order to make this work, you need to get several pieces set up on
your Windows NT PDC.  

First of all, you need to have ActiveState Perl installed.  You can
find this at http://www.activestate.com/.  Perl 5.6 should work just
fine.

Second, you need the Win32::NetAdmin and Win32::AdminMisc Perl
modules, which enable user and group administration under Windows NT.
The Win32::NetAdmin module is included with recent distributions of
ActiveState Perl, but you will need to download and install the
Win32::AdminMisc module yourself.  It can be found at
http://www.roth.net/perl/adminmisc/, along with a ton of information
on how to use it.

Third, you need a reliable rsh service installed on your Windows NT
PDC, so that the Ganymede server can run GanymedeRemote.pl using rsh.

It would be even better if you could find an affordable and
easy-to-use ssh service for NT to use instead.  You can find some
references to ssh services for Windows NT at http://www.freessh.org/.

It looks like there are now quite a few pages devoted to helping you
get sshd set up on Windows NT without paying anything out of pocket,
but it looks like it is still a bit involved at this point.  All the
resources I can find are basically for quickie ports of one of the
UNIX sshd implementations.

Since we have our Ganymede server and our Windows NT PDC on a local,
switched network that is generally not vulnerable to packet sniffing
from users, we just make do with rsh at this point in time.

We use Denicomp's RSH service for Windows NT, which is not free, but
works really well, far better than the RSH service included with the
Windows NT Resource Kit.  You can find theirs at
http://www.denicomp.com/.

There is also a free, but much less polished, RSH service for NT
available from http://home.us.net/~silviu/.  I have not tested this
version, but it looks as though it will support all the features
necessary to support userKit RSH synchronization.

Once rsh is installed, you will need to configure it to make sure
that everything is as secure as possible.

With Denicomp's RSH service, you set up a security file that looks
very similar to what you might expect to work with on a UNIX
system.  You want to edit this file and set a username and host
pair to allow rsh access.

For instance, to allow rsh from an account named 'ganymede' on a
machine named ganymedeServerName.mydomain.org, you would have a line
in the security file like this:

+ganymede@ganymedeServerName.mydomain.org

This will tell the rsh service to allow remote command execution by an
account identifying itself as 'ganymede' from your Ganymede Server
host.  Note that this is an arbitrary account name, this doesn't mean
that the rsh command is actually being run by an account named
ganymede on your UNIX host, just that it uses that name for the
purposes of the rsh call.

You'll want to play around with your rsh service's options.. you want
to allow the 'ganymede' account to have administration privileges,
which is the default in Denicomp RSH.  You probably want the Perl
interpreter to have its window hidden, and you definitely want to
capture stdin/stdout for all programs, as GanymedeRemote.pl depends on
receiving the synchronization file on STDIN.  You probably want to
disable all remote file copy permissions.

Once you have Perl, Win32::AdminMisc, and an rsh service installed,
you will want to transfer the GanymedeRemote.pl script to a known
location on your Windows NT PDC.  We use c:\ganymede, but this may
differ according to your tastes.  You will have to edit the
GanymedeRemote.pl script to set a number of operational parameters.
In particular, you have to edit the $server variable with the WINS
name of your Windows NT PDC.  If you don't set this correctly,
GanymedeRemote.pl will fail.

Once the GanymedeRemote.pl script is configured and in place on the NT
server, you should be able to edit ntsambaBuild in your
<server>/schema/output directory.  At the top of ntsambaBuild, you'll
see a bunch of variables that you'll need to tweak in order to point
the rsh synchronization process at your PDC.

Hopefully this will be pretty easy to figure out, but BE CAREFUL!
Remember that rsh does no encryption, so all of those plaintext
passwords are going to be sent in the clear between your Ganymede
server and your NT PDC.  Further, having an rsh service on your NT PDC
might make your PDC vulnerable to attacks from other systems.  You
want to make very certain that you are not doing this sort of rsh
activity over the open Internet.  Firewalls and switched networks are
your friends.

If you *have* to do Ganymede/NT synchronization over a network that
you can't trust, I recommend you spend the time/money to get a good ssh
service for NT and use that instead.  Alternatively, it should be
possible to work out something using PGP, whereby you would define a
server public/private key pair and an NT-side public/private key pair,
and then send the GanymedeRemote.pl script a file that was signed with
the server's private key and encrypted with the client's public key.
If you happen to make this sort of PGP setup work, please email
ganymede@arlut.utexas.edu and pass it along, so that I can incorporate
it into a future release of the userKit, and make you **WORLD**
**FAMOUS**!!!.

;-)

 Jon
