We already have a large complement of Unix users that are also Windows users but we also have non-unix users that need access to some samba shares. How can I setup samba so that Users who already have a Unix account will get that account and home directory when they connect through samba but valid domain users that do not already have a Unix account will authenticate through winbind and get the winbind generated UID, GID and home directory? Thanks. --Bill
On 5/19/05, Braden Bill <Bill.Braden@thomson.net> wrote:> We already have a large complement of Unix users that are also Windows > users but we also have non-unix users that need access to some samba > shares. How can I setup samba so that Users who already have a Unix > account will get that account and home directory when they connect > through samba but valid domain users that do not already have a Unix > account will authenticate through winbind and get the winbind generated > UID, GID and home directory?What do you mean by the users with Unix accounts getting "that account and home directory when they connect through samba? Connect how? I'm really having a hard time understanding the context. Unless you are using NIS, unix accounts are always local. And even in that case, their home directories are intially local unless linked to directories exported through NFS on another server. All of which shows just how confused I am by your expression "connect through samba." Logged in locally through unix, they will have access to their home directories the usual way. Samba has nothing to do with that: they are not "connecting through samba". For *other* samba shares locally or on other samba servers, they can access them in the usual ways -- smbclient, mount - t smbfs. I feel I'm missing something in understanding your question.
Braden Bill wrote:> We already have a large complement of Unix users that are also Windows > users but we also have non-unix users that need access to some samba > shares. How can I setup samba so that Users who already have a Unix > account will get that account and home directory when they connect > through samba but valid domain users that do not already have a Unix > account will authenticate through winbind and get the winbind generated > UID, GID and home directory? > > Thanks. > > --Bill >how about putting things like passwd files ldap winbind in nsswitch.conf? would that work? -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137
I appreciate the feedback so far from Michael and Basil.
Michael,Thanks for the nsswitch.conf suggestion but I already have
"files nis winbind" in nsswitch.conf and my pam.conf has
login auth requisite pam_authtok_get.so.1
login auth sufficient pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_dial_auth.so.1
login auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth sufficient pam_dhkeys.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so.1
try_first_pass
Basil, what I mean is that I have all my unix users in NIS (should have
mentioned that to start). Those people are fine when they actually log
into any Unix box but if they connect to the samba shares, from windows
like run -> \\sambashares, Winbind gets in the way and assigns them a
new UID, GID and home directory based on these settings
winbind uid = 37000-39999
winbind gid = 37000-39999
winbind enum users = yes
winbind enum groups = yes
template homedir = /tmp/winbind/%D/%U
instead of using the information out of NIS.
What I want is for the users that have a valid entry in NIS to connect
to the shares with that UID, GID and home directory. If they connect to
the shares as a valid ADS user but there is no matching username in NIS
then winbind should kick in and auto generate the UID, GID and home
directory.
-- Bill