We have been able to get windows workstations to validate against win2k for
authentication, but in looking at local shares on the linux box (via samba), do
the users need to be localized to a group in /etc/group to allow access to
files
on the linux system that samba is running on. Here is the smb.conf we have
come up with (along with modifications):
[global]
workgroup = donbest
netbios name = servlets
comment = Servlets Machine
os level = 34
#
# modified from domain to "*"
#
password server = *
security = domain
encrypt passwords = Yes
smb passwd file = /etc/samba/smbpasswd
guest account = Nobody
map to guest = Bad User
username map = /etc/linuxtowin2k
#
# modified name resolve order to use WINS instead of local file
#
name resolve order = wins lmhosts bcast
# This tells samba to use the file smbusers for user mapping.
; username map = /etc/samba/smbusers
# This tells samba to write log files per machine.
; log file = /var/log/samba/%m
# This sets an alternate log level. Default is 2.
; log level = 3
#
# password level (to match current username/password scheme in office)
#
password level = 12
username level = 12
# Uncomment the following, if you want to use an existing NT-Server to
# authenticate users, but don't forget that you also have to create them
# locally!
; security = server
; password server = 192.168.1.10
printing = LPRNG
printcap name = /etc/printcap
load printers = Yes
# These settings are a suggestion for a local network. Cf. section
# 'socket options' in the man page of smb.conf and socket(7).
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
# Uncomment this, if you want to integrate your server
# into an existing net e.g. with NT-WS to prevent nettraffic
local master = No
# Please uncomment the following entry and replace the ip number and
# netmask with the values of your network interface configuration.
#
# values are subject to change once we assign permanent addr
#
interfaces = 172.21.2.117/255.255.255.0
remote announce = 172.21.2.117
hosts allow = 172.21.2. 172.21.3. localhost
# If you want Samba to act as a wins server, please set
# 'wins support' to yes.
wins support = No
# If you want Samba to use an existing wins server, please uncomment the
# following line and replace the dummy with the wins server's ip number.
#
# Points at current auth. machine in domain "donbest"
#
wins server = 172.21.2.6
dns proxy = No
#
# Windows Bind Config
#
winbind separator = +
winbind gid = 10000-20000
winbind uid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
# Set these two parameters to your DOS code page and appropriate UNIX
# character set. These values are for west European languages (Latin-9)
# UNIX character and MS-DOS Latin 1 code page.
character set = ISO8859-15
client code page = 850
# This is a simple measure against Nimba Worm. Cf. README.Win32-Viruses
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
# Do you wan't samba to act as a logon-server for your windows 95/98
# clients, so uncomment the following:
; domain logons = Yes
domain master = No
preferred master = no
# For a specific logon script per user
; logon script = %U.bat
# For a specific logon script per machine
; logon script = %m.bat
# Where to store the logon scripts.
;[netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
# Where profiles of Windows 9x systems are stored.
# First example for a centralized place.
; logon home = \\%L\profiles\%U
# Second example for a subdirectory of the users home.
; logon home = \\%L\%U\profile
# Where profiles of Windows NT systems are stored.
; logon path = \\%L\profiles\%U
# Extra share for profiles. Default is the home of the user.
;[profiles]
; comment = Network Profiles Service
; path = /var/lib/samba/profiles
; browseable = No
[temp]
comment = Temporary File Space
path = /tmp
read only = No
guest ok = Yes
[test]
comment = Test Network on Servlets
path = /dbs/share
valid users = @testgroup
; force group = @dbsapps
read only = No
writeable = Yes
guest ok = No
create mask = 0777
force create mode = 0777
directory mask = 0777
force directory mode = 0777
[homes]
comment = Home Directories
path = /home
read only = No
writable = Yes
create mask = 0640
directory mask = 0750
browseable = no
