Sadanapalli, Pradeep Kumar (MED, TCS)
2003-Jan-30 16:47 UTC
[Samba] Samba File Sharing- Some Doubts?
Hi Friends, I didnot see any response for my previous mail. So I thought I would post it again. I want to run Samba on my linux desktop which is on NIS domain. I want to just share my files on linux box with windows machines on windows domain. My issues are : 1. Do I need to join the domain for sharing my files with them? 2. Do I need to have a login account for my linux machine on windows domain? 3. If a windows domain member needs to view my files, does he/she need to have account on my machine or his domain account is enough? 4. Who will authenticate the users for file sharing, my linux box or windows domain controller? If so, how should I configure samba? If anyone has already explored these issues , pls share with me. Thanks in advance. Pradeep
Sadanapalli, Pradeep Kumar (MED, TCS)
2003-Jan-31 15:52 UTC
[Samba] Samba File Sharing- Some Doubts?
Thank you very much John,
your response really cleared many of my doubts. But I am still unable to
share my files using Samba.
I configured samba on my Linux box, but the linux system is not visible
from the windows machine in the particular
domain I want it to appear. I donot know where I made mistake. I am
sending u the smb.conf below, please
tell me how to get it work.
"My smb.conf FILE"
*************************************
[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
load printers = yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
obey pam restrictions = yes
encrypt passwords = yes
dns proxy = no
server string = Pradeep's Samba
writeable = yes
printing = lprng
default = printers
unix password sync = Yes
workgroup = AMERICA ### This is my Windows Domain
security = user
preferred master = no
max log size = 0
pam password change = yes
[Linux Pradeep]
path = /home/pradeep
comment = Pradeep Home Dir Samba Share
valid users = %S
public = yes
create mode = 0664
directory mode = 0775
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
***************************
Thanks,
Pradeep
-----Original Message-----
From: john.nelson@teradyne.com [mailto:john.nelson@teradyne.com]
Sent: Thursday, January 30, 2003 3:06 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS)
Subject: Re: [Samba] Samba File Sharing- Some Doubts?
>My issues are :
Before addressing the specifics of your questions: you need to decide
what approach to security you want to use. This is one of the most
complex parts of Samba, primarily because Samba acts as a bridge between
two very dissimilar systems. Samba provides a wide variety of choices,
because there is no "one size fits all" solution that will satisfy
everyone.
>1. Do I need to join the domain for sharing my files with them?
No. The primary reason for having a Samba server join an Windows domain
is to allow the Windows domain controller to do user authentication,
rather than maintaining a separate password file on the Samba server.
It's
your choice.
>2. Do I need to have a login account for my linux machine on windows
>domain?
While this is not normally visible to users, this is just how domain
membership works. The domain member computer has a special "machine
account" on the domain controller - during authentication, the domain
member system presents it's account password to prove to the domain
controller that it really is the computer that it's name suggests that
it
is.
This is not normally visible when using the Microsoft domain tools, but
it
IS how it works underneath. When using Samba as a domain controller,
the
underlying mechanisms of implementing domain membership are more
visible,
which is why the "machine account" stuff appears in the Samba
documentation.
>3. If a windows domain member needs to view my files, does he/she need
>to have
> account on my machine or his domain account is enough?
You have some more choices here.
You need to decide what Unix userid will be used for accessing files on
the Samba server. If you want all connections to use the same Unix
userid, then you should use the "guest" facility of Samba to specify
the
account that will be used by all windows users connecting to Samba.
If you want to use different Unix userids for different Windows users,
then you need to define how the accounts map to each other. The default
is to map accounts by name: in other words, you need a Unix account to
match each Windows account name. When the Windows user connects, all
operations done on his behalf will be done using the matching Unix
account. Note that this is independent of how you've configured
passwords/authentication.
You can have Samba automatically create a unix account on the fly for
each
Windows account that successfully authenticates by using the "add user
script" facility.
Alternatively, you can explicitly define a mapping of Windows account
names to Unix account names using the samba "username map" facility.
On systems that support it, you can use winbindd (which isn't strictly
part of Samba) to map Windows domain accounts and groups onto your
Unix/Linux system. This approach tightly binds your Unix/Samba
environment to a Windows domain.
>4. Who will authenticate the users for file sharing, my linux box or
>windows domain controller? If so, how should
> I configure samba?
Again, you can choose to configure it either way. If you have your
linux
system join the domain (or use the domain controller as a password
server), then it will be the windows domain controller doing
authentication. If not, it will be the linux system (probably). There
are other possible authentication approaches involving LDAP et. al.
>If anyone has already explored these issues , pls share with me. Thanks
>in advance.
This, in my humble opinion, is the biggest flaw in the Samba
documentation. A new administrator of Samba MUST understand the choices
he needs to make, and the ramifications of those choices. There's
plenty
of detailed information about how to set up one configuration or
another,
and not enough information about what the decisions ARE, and how to
evaluate the trade-offs involved.
Good Luck.