Chris McKeever
2002-Nov-17 21:46 UTC
FW: [Samba] WINBIND configuration and NT Authentication]
Thanks Mikko - pieced the 3 links you sent and got new configs... Well..I have successfully got the PAM files so NT users can login from the terminal as well as through the samba shares (no local users required), including using the NT groups to provide share level permissions. Now here is the next battle: 1. I can not access the shares using the linux local accounts --> recieve: the credentials supplied confilict with an exisitng set of credentials is this another PAM configuration problem? 2. I can't configure the homes directory to be a default path (ie path /home/userfile) --> recieve: the specified network password is not correct --> creating this as a standard [userfile] share with read only allowed works any help would be appreciated -----Original Message----- From: Chris McKeever [mailto:cgmckeever@prupref.com] Sent: Sunday, November 17, 2002 9:55 AM To: 'samba@lists.samba.org' Subject: RE: [Samba] WINBIND configuration and NT Authentication] Mikko..you hit the nail on the head with the PAM configuration... I will fiddle around with those sites to try to get i going (I already locked myself out once...wonderful!) If any one has working pam config files that they could post or email, that would be great. Does one need to restart a pam service after changes are made? If so..how? -----Original Message----- From: Mikko Rautiainen [mailto:mrautia6@welho.com] Sent: Sunday, November 17, 2002 3:56 AM To: Samba ML Subject: Re: [Samba] WINBIND configuration and NT Authentication] Hi, Yes it's possible to authenticate users from win 2000 server with winbind. For me the PAM configuration was the hardest part. I used mandrake 9 and it has a realy good pre config. And if you want to modify the folder/file permissions from NT/W2k PDC then don't use ReiserFS as the filesystem. Use either EXT3 or XFS. Mayby the ReiserFS 4 will have the ACL support. I have had dificulties with suse and samba. Like my suse8 home server needs a restart after 2 days and I don't know the reason why. I just lose the connection to the samba. So the winbind part was easy to make work in mandrake 9, just need to config smb.conf right and thats about it. The PAM is a bit harder (to me at least). PAM is the key for the linux end to understand to use the winbind connection. If not correctly cinfigured it can't get the authentication from the Win NT/2k PDC. Here are some links that was helpful for me. http://archives.neohapsis.com/archives/pam-list/2001-10/0038.html http://ma.ph-freiburg.de/tng/tng-users/2001-06/msg00025.html http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html (very helpful) Hope these help Mikko Rautiainen Chris McKeever wrote:>Setup: > Suse 7.2, Samba 2.2.6 > Win 2K PDC > >Project: >I would like to use winbind to authenticate users that do not have local >accounts on the linux machine for access to various file and print shares. >I have gotten winbind to successfully grab the user and groups from the NT >box (verified by getent passwd). However, I have had little luck obtaining >the permission based file share that I would like. > >Questions: >1. Do users accessing the share need local accounts? > a. if so, is there a way to export users from win2k into linux? >2. Can you use NT groups in the smb.conf file to control access? >3. The documentation on winbind >http://us2.samba.org/samba/docs/man/winbindd.8.html almost makes it soundas>if it may be possible to authenticate NT users and grant them login rights >(actual session login rights, not samba shares) to the linux machine. Is >this true? If so is there additional configuration to achieve thisassuming>quesiton 1 has been answered and setup properly? >4. Does anyone know of further online winbind documentation? > >Thanks in advance... > >Chris McKeever > > > >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Andrew Bartlett
2002-Nov-18 09:46 UTC
FW: [Samba] WINBIND configuration and NT Authentication]
On Mon, 2002-11-18 at 08:46, Chris McKeever wrote:> Thanks Mikko - pieced the 3 links you sent and got new configs... > > Well..I have successfully got the PAM files so NT users can login from the > terminal as well as through the samba shares (no local users required), > including using the NT groups to provide share level permissions. > > Now here is the next battle: > > 1. I can not access the shares using the linux local accounts > --> recieve: the credentials supplied confilict with an exisitng set > of credentials > is this another PAM configuration problem?No, this is a windows client-side limitiation. You already have a connection to the server, and windows only allows one username per remote server at one time.> 2. I can't configure the homes directory to be a default path (ie path > /home/userfile) > --> recieve: the specified network password is not correct > --> creating this as a standard [userfile] share with read only > allowed worksI'm not quite sure what you are trying to do here. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20021118/af305672/attachment.bin
Christopher Odenbach
2002-Nov-18 11:14 UTC
FW: [Samba] WINBIND configuration and NT Authentication]
Hi,> > 1. I can not access the shares using the linux local accounts > > --> recieve: the credentials supplied confilict with an exisitng > > set of credentials > > is this another PAM configuration problem? > > No, this is a windows client-side limitiation. You already have a > connection to the server, and windows only allows one username per > remote server at one time.You can easily get around this by adding several alias names to the samba server and then making different connections with different user names to these names. Add alias names in smb.conf with netbios aliases = name1 name2 name3 ... I first thought that the limit is one user per _IP_, but it is really one user per netbios name... Quite silly, but works! :-) Christopher