Hi,
Could someone confirm that the following is NOT possible with Samba:
-Run Samba on a Solaris box WITH NO SMBPASSWD
-Have the users log in on Windows NT, using the Novell NDS client, and
using ENCRYPTION
-Have the users authenticated by Samba through NDS (preferred) or NIS.
My understanding is that if Samba receives the password encrypted, it has
no choice but to use a local smbpasswd (and can't use /etc/passwd,
NDS, NIS, pam etc...). Right ?
My understanding is that with the current version of Win NT, you cannot
disable password encryption. Right ?
Do you know what are the alternatives (totalnet Syntax ? others ?) ?
Thanks,
Yves.
----
Yves Dorfsman dorfsmay@cuug.ab.ca
http://www.cuug.ab.ca/~dorfsmay
Yves Dorfsman said:> Hi, > Could someone confirm that the following is NOT possible with Samba: > -Run Samba on a Solaris box WITH NO SMBPASSWD > -Have the users log in on Windows NT, using the Novell NDS client, and > using ENCRYPTION > -Have the users authenticated by Samba through NDS (preferred) or NIS. > > My understanding is that if Samba receives the password encrypted, it > has no choice but to use a local smbpasswd (and can't use /etc/passwd, > NDS, NIS, pam etc...). Right ?Yes that is correct - but IIRC from scanning the code, the SMB passwd stuff is carefully separated and could be extended to use other mechanisms (which I would like, since a flat text file is not good for a large number of servers and users).> > My understanding is that with the current version of Win NT, you > cannot disable password encryption. Right ? >NT 4.0 can disable encryption as can W2K - afterall Microsoft does have this burden of backward compatability :-).> Do you know what are the alternatives (totalnet Syntax ? others ?) ?The only serious competitor for Samba is Microsoft in my view - the Sun PC Netlink (IIRC) is based on NT 4.0 source code - so a dead end. Might be OK if just want a blackbox fileservice solution - but not OK for combined NFS/SMB fileservice. -- ----------------------------------------------------------------------------- | Peter Polkinghorne, Computer Centre, Brunel University, Uxbridge, UB8 3PH,| | Peter.Polkinghorne@brunel.ac.uk +44 1895 274000 x2561 UK | -----------------------------------------------------------------------------
Hello samba gurus, We have the configuration value for security as domain. Can samba athenticate someone outside the domain at the same time? Since Not all NT laptops are part of the domain NT server, guest users. How could I setup samba to allow some none domain users to access the filesystem? Thanks Peter
> Hello samba gurus, > > We have the configuration value for security as domain. Can samba > athenticate someone outside the domain at the same time? Since Not > all NT laptops are part of the domain NT server, guest users. How > could I setup samba to allow some none domain users to access the > filesystem?You have to do nothing special. The laptop useres need a unix account on the samba server, an encrypted password and map there shares by hand. That all. Oh, you are using "security = domain". The forget the encrypted passwords and let the laptop users (not the laptop machines) have a account on the PDC. Christian> > Thanks > > Peter_(_)_ wWWWw _ @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ / Y \| \|/ /(_) \| |/ | \ | \ |/ | / \ | / \|/ |/ \| \|/ jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Hi, I'm trying to set up samba for the first time. I can already ping the linux machine from a windows machine by its NetBIOS name. But when I try to do \\linux (thats the machine name) it asks me for username and password Here goes my smb.conf file: [global] workgroup = NS netbios name = Linux server string = Samba Server hosts allow = 192.168.69. 127. interfaces = 192.168.69.110/24 log file = /var/log/log.%m max log size = 50 security = domain password server = * encrypt passwords = yes socket options = TCP_NODELAY os level = 255 wins support = no dns support = no Do I have to create users locally, or say that specific users from the domain can access the server? I haven't created any share yet, might that be a problem too? Thanks in advance... Filipe Joel de ALmeida
Thanks Steve for your time. I'm trying to do everything by hand and without any GUI or wizards, so that I really learn how things work, so I'm having a little more work (specially because I just started using linux this week) but I think that with time it will be better this way. My idea for now is to have a Linux server integrated into a W2K domain, and providing that domain users with files. I have the users in the domain grouped in several groups. Isn't there any way that I, on the linux machine, "share" folders for a certain group and every user that is created in W2K and added to that group has access to that folder. My problem is that my first production deployment of samba is in a network of 100+ users with some rotativity (lots of users gone, and new come in). I really don't want to have to create each user twice. Can anyone tell me a way to implement this kind of slution? Filipe Joel de Almeida Network Consultant Filipe.Joel@netcabo.pt -----Original Message----- From: Steve Thom [mailto:samba@steventhom.com] Sent: s?bado, 28 de Setembro de 2002 17:59 To: Filipe.joel@netcabo.pt; samba@lists.samba.org Subject: Re: [Samba] Samba authentication Each user that needs to access the server will need to be a linux user as well, with unix permissions to access the directory in question. It is best to use "user" security instead of "domain" with password synchronization between samba and unix enabled. Any users created in unix will be added to samba. If this becomes an issue (too many users, two systems to maintain), you may want to consider mapping bad usernames to guest, setting the guest user up as a generic user in unix, then allowing guest access to the share. This pretty much opens the share up to everyone, something you may wisn to avoid. This is usually done when deploying Samba as a print server. It avoids administrative overhead. You can also use winbind to synchronize samba permissions with a NT domain. This is beyond me, someone else could step up to help you there. Another thing to consider - the samba user needs to have permissions to access the unix directory. Samba permissions and unix permissions are two distinct issues. You could share a directory in samba that nobody can read, let alone write to from Windows. The individual users need to have access, or better yet the group to which they belong. Conversely, if you map to guest, make certain the guest user has rights to the unix directory. You may want to download Webmin (www.webmin.com). It gives you a nice web-based interface to manage everything. Good luck, Steve ----- Original Message ----- From: <Filipe.joel@netcabo.pt> To: <samba@lists.samba.org> Sent: Saturday, September 28, 2002 6:03 AM Subject: [Samba] Samba authentication Hi, I'm trying to set up samba for the first time. I can already ping the linux machine from a windows machine by its NetBIOS name. But when I try to do \\linux (thats the machine name) it asks me for username and password Here goes my smb.conf file: [global] workgroup = NS netbios name = Linux server string = Samba Server hosts allow = 192.168.69. 127. interfaces = 192.168.69.110/24 log file = /var/log/log.%m max log size = 50 security = domain password server = * encrypt passwords = yes socket options = TCP_NODELAY os level = 255 wins support = no dns support = no Do I have to create users locally, or say that specific users from the domain can access the server? I haven't created any share yet, might that be a problem too? Thanks in advance... Filipe Joel de ALmeida -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi I've read a lot about setting up samba as a password server, and authenticating unix users against a samba server, but is there any way to authenticate samba users (like on logon) against the unix users and passwords (th users on the passwd and on the shadow files)? thanks Daniel Provin Linux User #191271 EEL LABMETRO UFSC
I had a security hole that let a hacker get access to my passwd file one time. I wasn't using shadow passwords because I thought the machine only would have authorized users. Within 48 hours of the hole being announced on a security website, they had my root password. i.e. they unencrypted it. Fortunately, they were not smart enough to do any real damage. They just filled my website with links to porn sites. >> is crypt that bad? :) >> anyways, gonna put the pam_smbpass to work first ! >> thanks >> Daniel Provin >> Linux User #191271 >> EEL LABMETRO UFSC >> On 22 Feb 2003, Bradley W. Langhorst wrote: >> > On Sat, 2003-02-22 at 15:55, Daniel Provin wrote: >> > > okay >> > > >> > > so, I just need to activate the pam_smbpass module to keep de smbpass >> with >> > > the last password >> > > >> > > but is there any way to build an initial list of passwords from >> > > unix passwords? >> > well >> > you could crack all your users passwords... >> > probably wouldn't take more than a few weeks if you're using crypt. >> > >> > seriously - i don't know an easy way to deal with this problem. >> > You might be able to configure pam to update the samba password upon >> > login. >> > or put the smbpasswd program into the logon script so that your users >> > change it when the log in >> > >> > brad >> > -- >> > Bradley W. Langhorst <brad@langhorst.com> >> > >> --=20 >> To unsubscribe from this list go to the following URL and read the >> instructions: http://lists.samba.org/mailman/listinfo/samba
I had a security hole that let a hacker get access to my passwd file one time. I wasn't using shadow passwords because I thought the machine only would have authorized users. Within 48 hours of the hole being announced on a security website, they had my root password. i.e. they unencrypted it. Fortunately, they were not smart enough to do any real damage. They just filled my website with links to porn sites. >> is crypt that bad? :) >> anyways, gonna put the pam_smbpass to work first ! >> thanks >> Daniel Provin >> Linux User #191271 >> EEL LABMETRO UFSC >> On 22 Feb 2003, Bradley W. Langhorst wrote: >> > On Sat, 2003-02-22 at 15:55, Daniel Provin wrote: >> > > okay >> > > >> > > so, I just need to activate the pam_smbpass module to keep de smbpass >> with >> > > the last password >> > > >> > > but is there any way to build an initial list of passwords from >> > > unix passwords? >> > well >> > you could crack all your users passwords... >> > probably wouldn't take more than a few weeks if you're using crypt. >> > >> > seriously - i don't know an easy way to deal with this problem. >> > You might be able to configure pam to update the samba password upon >> > login. >> > or put the smbpasswd program into the logon script so that your users >> > change it when the log in >> > >> > brad >> > -- >> > Bradley W. Langhorst <brad@langhorst.com> >> > >> --=20 >> To unsubscribe from this list go to the following URL and read the >> instructions: http://lists.samba.org/mailman/listinfo/samba
Hi There.... I need that my Samba Server (Linux RedHat 7.2) can see the users in a PDC Server which is running Windows 2000, so I've been reading in some docs but still without any success. Please, If anybody in this list knows How to do that? I will appreciate it.... I need to know what do I have to put or change in the smb.conf, pam_smb.conf files? Or if there's another clue about it..... Thanks in Advance Leonardo
Hi it's me again, Well I saw the page you wrote down but I'm still having problems.... I did everything It said but when I try to do a "wbinfo -u" I get this: Error looking up doamin users So I can't see the users in the PDC (obviously).... Has anybody some clue about it? Thanks for help me.... Leonardo ----------- Mensaje Original -------------- De: Gary Heitman [gheitman@midlandcorp.com] Para: samba@lists.samba.org [samba@lists.samba.org] Cc: Asunto: [Samba] Re: Samba Authentication Fecha: 24/04/2003 09:44:51 Mensaje: This helped me ... http://www.flatmtn.com/computer/Linux-Samba.html Good luck, gary Leonardo Rodr?guez wrote:> Hi There.... > > I need that my Samba Server (Linux RedHat 7.2) can see the users in a PDC > Server which is running Windows 2000, so I've been reading in some docsbut> still without any success. > > Please, If anybody in this list knows How to do that? I will appreciate > it.... > > I need to know what do I have to put or change in the smb.conf, > pam_smb.conf files? > > Or if there's another clue about it..... > > Thanks in Advance > > Leonardo > >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Here you are the results # wbinfo -t Could not check secret # wbinfo -A% could not obtain winbind separator! could not obtain winbind domain name! # wbinfo -u Error looking up domain users # wbinfo -g Error looking up domain groups # ----------- Mensaje Original -------------- De: Gary A. Heitman [gheitman@midlandcorp.com] Para: leonardorleon@cantv.net [leonardorleon@cantv.net] Cc: Asunto: Re: [Samba] Re: Samba Authentication Fecha: 24/04/2003 11:43:41 Mensaje: How about the results of: wbinfo -t (secret should be good) wbinfo -A<DOMAIN+administrator>%<DOMadminpassword> (locks in your administrative passwd to winbind) then, wbinfo -u (user list ?) wbinfo -g (groups) ---------------------------- Leonardo Rodr?guez wrote:>Hi it's me again, > >Well I saw the page you wrote down but I'm still having problems.... I did >everything It said but when I try to do a "wbinfo -u" I get this: > >Error looking up doamin users > >So I can't see the users in the PDC (obviously).... > >Has anybody some clue about it? > >Thanks for help me.... > >Leonardo > >----------- Mensaje Original -------------- > >De: Gary Heitman [gheitman@midlandcorp.com] >Para: samba@lists.samba.org [samba@lists.samba.org] >Cc: >Asunto: [Samba] Re: Samba Authentication >Fecha: 24/04/2003 09:44:51 >Mensaje: > > > This helped me ... > >http://www.flatmtn.com/computer/Linux-Samba.html > >Good luck, >gary > > > >Leonardo Rodr?guez wrote: > > >>Hi There.... >> >>I need that my Samba Server (Linux RedHat 7.2) can see the users in a PDC >>Server which is running Windows 2000, so I've been reading in some docs >> >> >but > > >>still without any success. >> >>Please, If anybody in this list knows How to do that? I will appreciate >>it.... >> >>I need to know what do I have to put or change in the smb.conf, >>pam_smb.conf files? >> >>Or if there's another clue about it..... >> >>Thanks in Advance >> >>Leonardo >> >> >> >> > > > >-- Gary A. Heitman Information Systems Production Administrator Midland Press Corporation www.midlandcorp.com
I have had the same issue for several days now, i have followed every instruction that i find, however i always get the same results. I did get winbind to query the PDC at one point by change the password server setting from actual machine names to *. This worked right up to the point that the samba server was stopped and restarted. Seems to me this is an issue with PDC resolution. -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: Thursday, April 24, 2003 11:07 AM To: =?X-UNKNOWN?Q?Leonardo_Rodr=EDguez?Cc: samba@lists.samba.org; gheitman@midlandcorp.com Subject: Re: [Samba] Re: Samba Authentication Leonardo, You may gain some value from the following document: http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf This is a work in progress and is being updated for release of samba-3 soon. Cheers, John T. On Thu, 24 Apr 2003, Leonardo Rodr?guez wrote:> Hi it's me again, > > Well I saw the page you wrote down but I'm still having problems.... I did > everything It said but when I try to do a "wbinfo -u" I get this: > > Error looking up doamin users > > So I can't see the users in the PDC (obviously).... > > Has anybody some clue about it? > > Thanks for help me.... > > Leonardo > > ----------- Mensaje Original -------------- > > De: Gary Heitman [gheitman@midlandcorp.com] > Para: samba@lists.samba.org [samba@lists.samba.org] > Cc: > Asunto: [Samba] Re: Samba Authentication > Fecha: 24/04/2003 09:44:51 > Mensaje: > > > This helped me ... > > http://www.flatmtn.com/computer/Linux-Samba.html > > Good luck, > gary > > > > Leonardo Rodr?guez wrote: > > Hi There.... > > > > I need that my Samba Server (Linux RedHat 7.2) can see the users in aPDC> > Server which is running Windows 2000, so I've been reading in some docs > but > > still without any success. > > > > Please, If anybody in this list knows How to do that? I will appreciate > > it.... > > > > I need to know what do I have to put or change in the smb.conf, > > pam_smb.conf files? > > > > Or if there's another clue about it..... > > > > Thanks in Advance > > > > Leonardo > > > > > > >-- John H Terpstra Email: jht@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi... One more important question: Is this really possible with samba 2.2.1a-4? Thanks ----------- Mensaje Original -------------- De: Leonardo Rodr?guez [leonardorleon@cantv.net] Para: samba@lists.samba.org [samba@lists.samba.org] Cc: Asunto: [Samba] Samba Authentication Fecha: 24/04/2003 08:49:00 Mensaje: Hi There.... I need that my Samba Server (Linux RedHat 7.2) can see the users in a PDC Server which is running Windows 2000, so I've been reading in some docs but still without any success. Please, If anybody in this list knows How to do that? I will appreciate it.... I need to know what do I have to put or change in the smb.conf, pam_smb.conf files? Or if there's another clue about it..... Thanks in Advance Leonardo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi list,
I've been working with Samba 2.2.1a in RedHat 7.2 trying to authenticate
users which are in a win2k PDC. this is what I've done:
In my smb.conf file I have this:
[global]
workgroup = MCSE
server string = Samba Server
netbios name = RHVMW
printcap name = /etc/printcap
load printers = yes
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
security = domain
password server = *
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = no
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
[samba]
comment = Samba Share
path = /samba
public = yes
writable = yes
browseable = yes
[samba2]
comment = Samba Share
path = /samba2
valid users = %S
public = no
writable = yes
printable = no
create mask = 0765
------ end of file ----------------
I added the Linux machine in the win2k PDC with its Netbios name (RHVMW)
and I checked the line Allow pre-Windows 2000 computers to use this account
and after this I joined the linux machine to the Domain with this command:
[root@rhvmw root]# smbpasswd -r win2k1 -j mcse -U administrator%password
2003/04/28 10:16:00 : change_trust_account_password: Changed password
for domain MCSE.
Joined domain MCSE.
It joined well... and I could do any user authentication as follow:
[root@rhvmw root]# smbclient -L rhvmw -U administrator
added interface ip=192.168.58.102 bcast=192.168.58.255 nmask=255.255.255.0
Password:
Domain=[MCSE] OS=[Unix] Server=[Samba 2.2.1a]
Sharename Type Comment
--------- ---- -------
samba Disk Samba Share
samba2 Disk Samba Share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)
administrator Disk Home Directories
Server Comment
--------- -------
RHVMW Samba Server
WIN2K1
Workgroup Master
--------- -------
MCSE WIN2K1
Administrator is an user in the PDC. I could do this with differents users
created in the PDC and everything find but after a long time I try to do
the same thing and it fail giving me this error:
[root@rhvmw root]# smbclient -L rhvmw -U administrator
added interface ip=192.168.58.102 bcast=192.168.58.255 nmask=255.255.255.0
Password:
session setup failed: ERRSRV - ERRbadpw (Bad password - name/password pair
in a Tree Connect or Session Setup are invalid.)
and I don't know why.... so What could be happening? another question is
How can I set a parameter (valid user) in the shared folder (smb.conf) in
order to it can authenticate the users in the PDC? because I can only do
this with the Linux users.
Thanks in advance
Leonardo
Is it possible to have two samba servers in two separate domains acting as PDCs authenticate against each other for logins? IE server A attempts to authenticate against B and then itself, and server B attempts to authenticate against A and then itself. Any help doing this would be very much appreciated. Rob
I have two separate subnets, two servers, and one domain. I want to serve half of my users from server A and half from server B, but all users would be able to log onto both subnets. The reason I want to separate them like this is so that the home directories and profiles will be split between the servers. Is it possible to serve the profiles and home dirs from a samba server the user doesn't authenticate with? In other words, what I'd like is for a user on server A (controlling subnet A) to be able to log into a PC on subnet A and B and have his home dir and profile servered from server A. At the same time, I'd like different users to have the same ability using server B. Rob ggrov7@eq.edu.au wrote:> I think it is possible, but why would you do it? What you said sounds weird. Why do you want both servers to auth from ech other first? Normally you would only have server B auth from server A and then B. And server A auth from server A then B. Are you sure you don't want to replicate servers A & B's databases? > > ----- Original Message ----- > From: Robert Rati <Robert.Rati@motorola.com> > Date: Wednesday, September 10, 2003 7:31 am > Subject: [Samba] Samba authentication > > >>Is it possible to have two samba servers in two separate domains >>acting >>as PDCs authenticate against each other for logins? IE server A >>attempts to authenticate against B and then itself, and server B >>attempts to authenticate against A and then itself. Any help >>doing this >>would be very much appreciated. >> >>Rob >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: http://lists.samba.org/mailman/listinfo/samba >> > >