I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry
I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc> -----Original Message----- > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > Sent: Tuesday, January 25, 2005 11:04 AM > To: samba@lists.samba.org > Subject: [Samba] 'security = ads' & 'valid users =' > > I will be upgrading my Samba server from 2.2.8a to 3.0.10. Icurrently> have security set to 'share' and plan on migrating to 'ads' forimproved> authentication. I have one snag, though... > > I have remote users who reside in and are managed by a Windows domain > that is not in my control. There is no trust relationship at all. IfI> use 'ads' security, can I add a 'valid users' line for shares theyneed> to access? So that when they fail domain authentication, Samba would > check against UNIX accounts I set up specifically for those (2)users...> > Example smb.conf: > > [global] > security = ads > > [share1] > comment = share for local users > path = /some/path/share1 > ... > > [share2] > comment = share for remote users > path = /some/path/share2 > valid users = fred,barney > ... > > ry > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
Would it be feasible to use the options 'guest account' and 'guest ok' for shares along with ADS security? Or is additional configuration even necessary? When domain authentication fails, Samba will prompt the user for a username/password combination (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), correct? The user can then enter credentials I have given them that will match UNIX accounts I will create for them. ry -----Original Message----- From: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] Sent: Tuesday, January 25, 2005 2:19 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' & 'valid users =' I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc> -----Original Message----- > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > Sent: Tuesday, January 25, 2005 11:04 AM > To: samba@lists.samba.org > Subject: [Samba] 'security = ads' & 'valid users =' > > I will be upgrading my Samba server from 2.2.8a to 3.0.10. Icurrently> have security set to 'share' and plan on migrating to 'ads' forimproved> authentication. I have one snag, though... > > I have remote users who reside in and are managed by a Windows domain > that is not in my control. There is no trust relationship at all. IfI> use 'ads' security, can I add a 'valid users' line for shares theyneed> to access? So that when they fail domain authentication, Samba would > check against UNIX accounts I set up specifically for those (2)users...> > Example smb.conf: > > [global] > security = ads > > [share1] > comment = share for local users > path = /some/path/share1 > ... > > [share2] > comment = share for remote users > path = /some/path/share2 > valid users = fred,barney > ... > > ry > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
If you're fine with users being prompted to enter their login credentials, then yes the passwords can be different. If you want it to be seamless, keep the passwords synced. -Marc> -----Original Message----- > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > Sent: Tuesday, January 25, 2005 11:28 AM > To: samba@lists.samba.org > Subject: RE: [Samba] 'security = ads' & 'valid users =' > > Would it be feasible to use the options 'guest account' and 'guest ok' > for shares along with ADS security? > > Or is additional configuration even necessary? When domain > authentication fails, Samba will prompt the user for ausername/password> combination > (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), > correct? The user can then enter credentials I have given them that > will match UNIX accounts I will create for them. > > ry > > -----Original Message----- > From: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] > Sent: Tuesday, January 25, 2005 2:19 PM > To: Ryan Frantz; samba@lists.samba.org > Subject: RE: [Samba] 'security = ads' & 'valid users =' > > I think as long as the passwords are the same, your approach ofcreating> the domain users you need as local users will work. > > -Marc > > > -----Original Message----- > > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > > Sent: Tuesday, January 25, 2005 11:04 AM > > To: samba@lists.samba.org > > Subject: [Samba] 'security = ads' & 'valid users =' > > > > I will be upgrading my Samba server from 2.2.8a to 3.0.10. I > currently > > have security set to 'share' and plan on migrating to 'ads' for > improved > > authentication. I have one snag, though... > > > > I have remote users who reside in and are managed by a Windowsdomain> > that is not in my control. There is no trust relationship at all.If> I > > use 'ads' security, can I add a 'valid users' line for shares they > need > > to access? So that when they fail domain authentication, Sambawould> > check against UNIX accounts I set up specifically for those (2) > users... > > > > Example smb.conf: > > > > [global] > > security = ads > > > > [share1] > > comment = share for local users > > path = /some/path/share1 > > ... > > > > [share2] > > comment = share for remote users > > path = /some/path/share2 > > valid users = fred,barney > > ... > > > > ry > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
I don't mind the users being prompted; there are only two of them. This is a real pain because they're accessing my site through a dedicated line and they reside in their own domain... -----Original Message----- From: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] Sent: Tuesday, January 25, 2005 2:35 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' & 'valid users =' If you're fine with users being prompted to enter their login credentials, then yes the passwords can be different. If you want it to be seamless, keep the passwords synced. -Marc> -----Original Message----- > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > Sent: Tuesday, January 25, 2005 11:28 AM > To: samba@lists.samba.org > Subject: RE: [Samba] 'security = ads' & 'valid users =' > > Would it be feasible to use the options 'guest account' and 'guest ok' > for shares along with ADS security? > > Or is additional configuration even necessary? When domain > authentication fails, Samba will prompt the user for ausername/password> combination > (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), > correct? The user can then enter credentials I have given them that > will match UNIX accounts I will create for them. > > ry > > -----Original Message----- > From: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] > Sent: Tuesday, January 25, 2005 2:19 PM > To: Ryan Frantz; samba@lists.samba.org > Subject: RE: [Samba] 'security = ads' & 'valid users =' > > I think as long as the passwords are the same, your approach ofcreating> the domain users you need as local users will work. > > -Marc > > > -----Original Message----- > > From: Ryan Frantz [mailto:RyanFrantz@informed-llc.com] > > Sent: Tuesday, January 25, 2005 11:04 AM > > To: samba@lists.samba.org > > Subject: [Samba] 'security = ads' & 'valid users =' > > > > I will be upgrading my Samba server from 2.2.8a to 3.0.10. I > currently > > have security set to 'share' and plan on migrating to 'ads' for > improved > > authentication. I have one snag, though... > > > > I have remote users who reside in and are managed by a Windowsdomain> > that is not in my control. There is no trust relationship at all.If> I > > use 'ads' security, can I add a 'valid users' line for shares they > need > > to access? So that when they fail domain authentication, Sambawould> > check against UNIX accounts I set up specifically for those (2) > users... > > > > Example smb.conf: > > > > [global] > > security = ads > > > > [share1] > > comment = share for local users > > path = /some/path/share1 > > ... > > > > [share2] > > comment = share for remote users > > path = /some/path/share2 > > valid users = fred,barney > > ... > > > > ry > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba