I'm a bit confused on several points of the security infrastructure of Samba. First, and simplest, why (and is it necessary) do we need to keep a smbpasswd file when the Linux/Unix passwd file could be suffice? I like the idea of mapping particular users to a given UNIX account via the username map option, but I see no reason in specifying a separate password file for these same UNIX users. Secondly, and more to the point, why (again, and is it necessary) do we need this smbpasswd file if we are authenticating against a domain? Ideally, I'd like to be able to authenticate against the NT domain, and then map users to particular accounts. Users who are not mapped to a given account will be mapped to a generic guest account with security tightened and access limited if even available. _________________ Jeremy Nix Senior Application Developer Southwest Financial Ltd. Jeremy.Nix@sfsltd.com (513) 621-6699 ext 1158
If you have set a WINS server, the following security setup should give you your
'ideal' scenario: NT domain authentication to a PDC with the ability to
use a username map for cross platform account name mapping. Mapping to a generic
(guest) account will happen automatically if you do not use 'guest ok =
yes' (that may be the default, I don't know - we don't allow it)
security = DOMAIN
password server = *
encrypt passwords = yes
Make sure your Samba server has been joined to the domain as a machine account.
I don't know the answer the first part (why an additional password file is
used). I was never sure why the standard library routines like getpwent(), etc.
weren't used. I'm sure there's a good reason.
Hope that helps.
Cheers - Andy
-----Original Message-----
From: Jeremy Nix [mailto:Jeremy.Nix@sfsltd.com]
Sent: Tuesday, May 06, 2003 9:24 AM
To: samba@lists.samba.org
Subject: [Samba] DOMAIN level security with smbpasswd???
I'm a bit confused on several points of the security infrastructure of
Samba. First, and simplest, why (and is it necessary) do we need to
keep a smbpasswd file when the Linux/Unix passwd file could be suffice?
I like the idea of mapping particular users to a given UNIX account via
the username map option, but I see no reason in specifying a separate
password file for these same UNIX users.
Secondly, and more to the point, why (again, and is it necessary) do we
need this smbpasswd file if we are authenticating against a domain?
Ideally, I'd like to be able to authenticate against the NT domain, and
then map users to particular accounts. Users who are not mapped to a
given account will be mapped to a generic guest account with security
tightened and access limited if even available.
_________________
Jeremy Nix
Senior Application Developer
Southwest Financial Ltd.
Jeremy.Nix@sfsltd.com
(513) 621-6699 ext 1158
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
On Tue, May 06, 2003 at 09:23:48AM -0400, Jeremy Nix wrote:> I'm a bit confused on several points of the security infrastructure of > Samba. First, and simplest, why (and is it necessary) do we need to > keep a smbpasswd file when the Linux/Unix passwd file could be suffice? > I like the idea of mapping particular users to a given UNIX account via > the username map option, but I see no reason in specifying a separate > password file for these same UNIX users.Samba needs its own password file because Windows and UNIX use fundamentally different and incompatible methods of password encryption. You can't get from either password hash back to a clear password, so you can't compare them. If you make the registry change that tells Windows to use unencrypted passwords, then Samba can use the ordinary system passwords. I don't think you can do that with domain security, though.> Secondly, and more to the point, why (again, and is it necessary) do we > need this smbpasswd file if we are authenticating against a domain?You shouldn't need one. It may still exist, of course. -- Michael Heironimus
Jeremy, MS Windows NT4/200x/XPPro can not participate in a Domain (as members with a machine trust account) unless Microsoft encrypted passwords are enabled. Microsoft encrytped passwords are hashed using and entirely different algorithm from Unix Crypt. There is no mechanism for converting from Unix Crypt to Microsoft's hashing mechanism - it can be done only from the clear text password itself. If you elect to use just your unix system user and password database then you can not run Samba as a domain controller for your MS Windows clients. Also, you must re-enable plain text password support in the registry of all your clients. This has the side effect that every time the MS Windows client closes an idle connection (which it can do after 5 - 15 minutes of inactivity) when it goes to restore the connection it will use the MS encrypted password (it does not cache the plain text password). The account mapping is only to allow MS Windows user names like "Jack Frost" to be mapped in a sensible manner to a unix account name. - John T. On Tue, 6 May 2003, Jeremy Nix wrote:> I'm a bit confused on several points of the security infrastructure of > Samba. First, and simplest, why (and is it necessary) do we need to > keep a smbpasswd file when the Linux/Unix passwd file could be suffice? > I like the idea of mapping particular users to a given UNIX account via > the username map option, but I see no reason in specifying a separate > password file for these same UNIX users. > > Secondly, and more to the point, why (again, and is it necessary) do we > need this smbpasswd file if we are authenticating against a domain? > > Ideally, I'd like to be able to authenticate against the NT domain, and > then map users to particular accounts. Users who are not mapped to a > given account will be mapped to a generic guest account with security > tightened and access limited if even available. > > _________________ > Jeremy Nix > Senior Application Developer > Southwest Financial Ltd. > Jeremy.Nix@sfsltd.com > (513) 621-6699 ext 1158 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- John H Terpstra Email: jht@samba.org