I'm sorry if this post came through already ... Hi, I'm working on a project where the plan is to place a number of Samba servers on different locations as file and print servers. The samba server is supposed to be a part of the AD, which is easily done, but the samba servers are to contain a number of shares that only people with a valid logon on the AD will be able to access. How can this be achieved? Do I have to promote each Samba server to becoma a Domain Controller and create a trust between the DC and the Samba DC? I'm hoping there is a way to make Samba check the login on the DC and based on that give access to the share. I hope I am being clear enough. In short: An AD user wishes to access a Samba share, but needs to be authenticated somehow. I hope you can help me out. -- Lars Wiberg
On Wed, 10 Sep 2003, Lars Wiberg wrote:> I'm sorry if this post came through already ... > > Hi, > > I'm working on a project where the plan is to place a number of Samba > servers on different locations as file and print servers. The samba server > is supposed to be a part of the AD, which is easily done, but the samba > servers are to contain a number of shares that only people with a valid > logon on the AD will be able to access. > > How can this be achieved? Do I have to promote each Samba server to becoma a > Domain Controller and create a trust between the DC and the Samba DC? I'm > hoping there is a way to make Samba check the login on the DC and based on > that give access to the share. > > I hope I am being clear enough.Chapter 14, "File, Directory and Share Access Controls", Samba-HOWTO-Collection.pdf. This document ships with Samba-3.0.0, in the ~samba/docs directory. Available from links on the samba web site under documentation. I hope I am being clear enough also. If this does not solve your problem please let us know. - John T.> > In short: An AD user wishes to access a Samba share, but needs to be > authenticated somehow. > > I hope you can help me out. > >-- John H Terpstra Email: jht@samba.org
To follow up on this, I have been studying the documentation more intensively yesterday evening, and have concluded that the current release of Samba cannot do what I am trying to achieve. What I forgot to mention yesterday, was that there is to be no unix accounts on the Samba server, meaning the only user administration involved is from the Active Directory (AD), but after doing a more thorough studying of the documentation, this paragraph came up: "In the course of development of Samba-3, a number of requests were received to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide matching UNIX/Linux accounts. We called this the Non UNIX Accounts (NUA) capability. The intent was that an administrator could decide to use the tdbsam backend and by simply specifying passdb backend = tdbsam_nua this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late in the development cycle, the team doing this work hit upon some obstacles that prevents this solution from being used. Given the delays with Samba-3 release a decision was made to NOT deliver this functionality until a better method of recognising NT Group SIDs from NT User SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series." If I understand that paragraph correctly, it is currently not possible to authenticate users on a Samba server solely from an Active Directory. The only possible way is to create unix accounts on the Samba server - which means more user administration. Thank you all, for your input. Can anybody from the Samba team tell me how far into the horizon I have to look for this feature? From the documentation, it seems to me that a lot of work has gone into this already. -- Lars Wiberg "Lars Wiberg" <lw@c.dk> skrev i en meddelelse news:bjn10s$jp8$1@sea.gmane.org...> I'm sorry if this post came through already ... > > Hi, > > I'm working on a project where the plan is to place a number of Samba > servers on different locations as file and print servers. The samba server > is supposed to be a part of the AD, which is easily done, but the samba > servers are to contain a number of shares that only people with a valid > logon on the AD will be able to access. > > How can this be achieved? Do I have to promote each Samba server to becomaa> Domain Controller and create a trust between the DC and the Samba DC? I'm > hoping there is a way to make Samba check the login on the DC and based on > that give access to the share. > > I hope I am being clear enough. > > In short: An AD user wishes to access a Samba share, but needs to be > authenticated somehow. > > I hope you can help me out. > > -- > Lars Wiberg > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you looked at winbind? It allows you to not have to manually create the Unix accounts, as it integrates with nsswitch. - -Tom Lars Wiberg wrote: | To follow up on this, I have been studying the documentation more | intensively yesterday evening, and have concluded that the current release | of Samba cannot do what I am trying to achieve. | | What I forgot to mention yesterday, was that there is to be no unix accounts | on the Samba server, meaning the only user administration involved is from | the Active Directory (AD), but after doing a more thorough studying of the | documentation, this paragraph came up: | | "In the course of development of Samba-3, a number of requests were received | to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 | without the need to provide matching UNIX/Linux accounts. We called this the | Non UNIX Accounts (NUA) capability. The intent was that an administrator | could decide to use the tdbsam backend and by simply specifying passdb | backend = tdbsam_nua this would allow Samba-3 to implement a solution that | did not use UNIX accounts per se. Late in the development cycle, the team | doing this work hit upon some obstacles that prevents this solution from | being used. Given the delays with Samba-3 release a decision was made to NOT | deliver this functionality until a better method of recognising NT Group | SIDs from NT User SIDs could be found. This feature may thus return during | the life cycle for the Samba-3 series." | | If I understand that paragraph correctly, it is currently not possible to | authenticate users on a Samba server solely from an Active Directory. The | only possible way is to create unix accounts on the Samba server - which | means more user administration. | | Thank you all, for your input. | | Can anybody from the Samba team tell me how far into the horizon I have to | look for this feature? From the documentation, it seems to me that a lot of | work has gone into this already. | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/YFtzRliD/69byygRAieYAJ0brB3t1jhAM3bSNIWPjSfg9n93RACeIWJt bozCxFPX7l4MniyGQ8HnS4E=NgpX -----END PGP SIGNATURE-----
Yet another update - I'm learning :-) I hope you will take the time to read it. Please forgive the confusion / my ignorance. I haven't been using Samba since 1998. Taking the time to read the documentation (which has exploded in size since my last taste of Samba) chapter by chapter really helps a lot. With the excellent input from John and Tom, I have come to understand that Winbind seems to be the solution I am looking for. To further describe the project I'm working on (which I find very exciting), I will give a (brief?) project description here: The actual case I am working on involves something in the area of 130 locations. A Samba server for each location is what we are considering. The demand is that there is a transparent integration between Linux and an Active Directory on a Windows 2000 Server, making the added Samba server 'invisible' to the user. The Samba server must not require extra user accounts, no extra administration - In other words, no extra chores for me as an administrator of the network once they have been set up. The Samba server is to function as a fileserver with user shares and common shares for the location. Access to these shares must be centralised, avoiding per server administration. Even the smallest degree maintenance and administration on each server will obviously render many extra work hours. The core concern for me is user maintenance and administration, but this seems to be solved with Winbind since it can tap into the AD to get user credentials from there. That eliminates maintenance of more userbases, and that takes a great load off. All usernames in the AD is created in this format: locationprefix.username (example: ags.hdj) and are all on the same domain: xxx.yyy.local ... Will this be a problem? Will the username delimited with a '.' be considered invalid by Winbind or Samba? This may be irrelevant since we are not talking about Unix accounts anymore, but none the less, I would like to know if Samba makes any kinds of checks before it passes anything on to Winbind. If this doesn't make any sense, don't worry, I will of course test it. All users are arranged in Global Security Groups (GSG) in the format GRP<locationprefix>USER (example: GRPAGSUSER). I would like to give each user access to their own home share, and the whole group access to the common share using the GSG. This will involve some scripting to automate that process. Am I missing some angles here, or can you follow me in what I am trying to achieve? I am going to tinker with Samba-3 at home this weekend, and hopefully Winbind as well to gain more knowledge and be able to ask even more qualified questions in the following week :-) So far, thank you for all your input. This is a large project, and if I can make this plan work, I appreciate all the help you guys will give me. John Terpstra: About the documentation, I will read more into it and give you some input about whether or not it is confusing. My first posts were the result of a: "Can this be done, find out and let me know in a couple of hours!" from my boss, after which I bolted to the Samba-3 documentation and skimmed it very rapidly, with a poor result. Have a great weekend everybody. -- Lars Wiberg