Hi,
I'm getting confused about the role that kerberos authentication plays.
What exactly is the point of using kerberos to join a samba server to an
AD domain?
If using kerberos still requires you to rely on winbindd for all the
nsswitch stuff then what is the point?
I can just as easily specify
workgroup = wkgrp
security = domain
and do a
net join
Instead of doing
realm = wkgrp.krb.realm
workgoup = wkgrp
security = ADS
and doing
net ads join
Are there performance benefits/better security...what??
I think that maybe my understanding of the kerberos setup is a bit
flawed.
thanks for any replies,
Mark Le Noury
People, I had gone panic... there is no way to migrate Files from my NT 4, to the Samba BDC Server. I had vampired all the users. but still I get access denied in robocopy when it tries to copy the NTFS Security. Any Idea what could it be?? I swear to god, that I will share a bit of my salary to solve this out!! 2 weeks fighting and going throw forums, and this weekend my boss will go with win2000 if I dont find a solution!!
Mark Le Noury wrote:>Hi, > >I'm getting confused about the role that kerberos authentication plays. >What exactly is the point of using kerberos to join a samba server to an >AD domain? >If using kerberos still requires you to rely on winbindd for all the >nsswitch stuff then what is the point? > >I can just as easily specify > workgroup = wkgrp > security = domain > >and do a > net join > > >Instead of doing > realm = wkgrp.krb.realm > workgoup = wkgrp > security = ADS > >and doing > net ads join > > >Are there performance benefits/better security...what?? > I think that maybe my understanding of the kerberos setup is a bit >flawed. > >thanks for any replies, > >Mark Le Noury > > > >Here is an over simplified explanation. Configuring kerberos with samba will not give you any additional features. It is definately more secure -- the linux system will authenticate via kerberos with your AD DC. Aside from the security bonus the only other reason you would want to consider doing this is if your Active Directory is running in Native Mode. If this is the case, you *have* to use kerberos if you wish to become a full domain member. Otherwise, if you are running in Mixed Mode (the default mode on 2000/2003) and the added benefits of kerberos security are not a requirement, then by all means run in domain mode as an old style NT system and enjoy being free from the headaches of kerberos compatibility issues. Christian
Hi Christian, Can you explain what winbindd has to do with kerberos and the ADS security mode? I was using the DOMAIN security mode without it and now I am trying to make it work with ADS (our Win2K3 server will be in Native mode for ... security reason!). Do I really need winbindd even if I only need to have a Samba share available to some Windows XP/2000 machines via the same Windows logon and no need to log on the Unix box running the Samba share. Regards, Marcello -----Message d'origine----- De : Christian Merrill [mailto:cmerrill@redhat.com] Envoy? : mercredi 13 octobre 2004 09:21 ? : Mark Le Noury Cc : samba@lists.samba.org Objet : Re: [Samba] kerberos and/or winbind ?? Mark Le Noury wrote:>Hi, > >I'm getting confused about the role that kerberos authentication plays. >What exactly is the point of using kerberos to join a samba server to >an AD domain? If using kerberos still requires you to rely on winbindd >for all the nsswitch stuff then what is the point? > >I can just as easily specify > workgroup = wkgrp > security = domain > >and do a > net join > > >Instead of doing > realm = wkgrp.krb.realm > workgoup = wkgrp > security = ADS > >and doing > net ads join > > >Are there performance benefits/better security...what?? > I think that maybe my understanding of the kerberos setup is a bit >flawed. > >thanks for any replies, > >Mark Le Noury > > > >Here is an over simplified explanation. Configuring kerberos with samba will not give you any additional features. It is definately more secure -- the linux system will authenticate via kerberos with your AD DC. Aside from the security bonus the only other reason you would want to consider doing this is if your Active Directory is running in Native Mode. If this is the case, you *have* to use kerberos if you wish to become a full domain member. Otherwise, if you are running in Mixed Mode (the default mode on 2000/2003) and the added benefits of kerberos security are not a requirement, then by all means run in domain mode as an old style NT system and enjoy being free from the headaches of kerberos compatibility issues. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Matías Barletta
2004-Oct-18 17:22 UTC
[Samba] W2k Permissions to Samba Share- ACE convert to posix Failed
Guys. I did find when trying to set up permissions within W2k to a Samba Shared File, I get access denied, My Conf is Suse 9.1 Pro Samba 3.0.7 (ACL support) Reiserfs with ACL support - Winbind works great - Everything smooth The file has only 4 ACL, so its not a problem of amount of ACLs in the file. but I can see that log message says... Too many ACE entries for file . to convert to posix perms. -- I say... they are not so many! The log Message shows this [2004/10/18 09:13:40, 3] passdb/lookup_sid.c:fetch_uid_from_cache(173) fetch uid from cache 10000 -> S-1-5-21-538738344-134243190-1478062314-1003 [2004/10/18 09:13:40, 3] passdb/lookup_sid.c:fetch_uid_from_cache(173) fetch uid from cache 10000 -> S-1-5-21-538738344-134243190-1478062314-1003 [2004/10/18 09:13:40, 3] smbd/dosmode.c:unix_mode(111) unix_mode(.) returning 0744 [2004/10/18 09:13:40, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2506) convert_canon_ace_to_posix_perms: Too many ACE entries for file . to convert to posix perms. [2004/10/18 09:13:40, 3] smbd/posix_acls.c:set_nt_acl(3147) set_nt_acl: failed to convert file acl to posix permissions for file .. [2004/10/18 09:13:40, 3] smbd/error.c:error_packet(105) error string = Function not implemented [2004/10/18 09:13:40, 3] smbd/error.c:error_packet(129) error packet at smbd/nttrans.c(2020) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED Thanks!!!