Melfi.Marcello@hydro.qc.ca
2004-Oct-19 18:14 UTC
[Samba] Issues/Questions about Samba 3.x.x versus it's Worki ng Status
Hi Jerry, First, thanks a lot for the answers! In regards, to your reply, can you provide a little bit more precisions here: 1. The question 1 was about not using winbindd when in ADS security mode. Is the answer still Yes? I know that it is true when in DOMAIN security mode. 2. About Question 6, from your answer, my understanding is that the Samba server must be in the same domain as the Win2K/Win2K3 server. In other words the full name of these machines would be "sambaserver.domaineA.com" and "win2kserver.domaineA.com". Is this true whether it is with the DOMAIN or ADS security mode? Regards, Marcello -----Message d'origine----- De : Gerald (Jerry) Carter [mailto:jerry@samba.org] Envoy? : mardi 19 octobre 2004 10:01 ? : Melfi.Marcello@hydro.qc.ca Cc : samba@lists.samba.org Objet : Re: [Samba] Issues/Questions about Samba 3.x.x versus it's Working Status -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Melfi.Marcello@hydro.qc.ca wrote: | 1. I once asked if it was possible not to use winbindd | and just use the "username map" parameter/file. I never got any answer | to that... Is that a tough question? Yes. | 2. When using winbindd, can I still use the "username | map" parameter/file so that I link Windows accounts to the same Unix | one? Right now, this does not seem to work... Is there some issues | with this? What is the exact syntax? See my post about this earlier today. | 3. Is PAM absolutely required? I do not think so, but, | hey, you never know... No. not required. | 4. I saw in a few mails on Google that the | command "wbinfo --set-auth-user DOMAINNAME\\Administrator%password" | is sometime required? Is it true? What is it all about? No. not required nor needed in the latest Samba releases (especially when using security = ads). | 5. I saw also in a lot of mails on Google and Samba list | that it was required to copy the libnss_winbind.so (from | the nsswitch directory in the samba source) to the /lib directory. | However, the target filename is sometime nss_winbnid.so, sometime | libnss_winbind.so, sometime ending with .so.1 or .so.2, etc. What is | it all about? What is really required? Is this system specific? nss_winbind.so is the NSS library used to export domain users and groups to the underlying UNIX OS. It is required when you run winbindd and the name is OS specific. | 6. Does the Samba server (aka the Unix box) need to be in the same | domain as the Win2K3 server? Same question for the client | workstations? Yes and no. Suggest you re-reead the documentation on security = [domain|ads] | 7. I saw in some other mails/documents (too many read in | a short period) that it may be required to change the | Windows account's password? Is this true? If so, when | is it required and with what typical configuration? Normally this is handled automatically for you by smbd (if appropriate) once you are joined to a domain. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdR4CIR7qMdg1EfYRAj6OAKCZV7HpL4cuwLmpzLXVnFTEoeWABQCfUFa5 HE1bh8awLFwbDunY7VzXnjY=EYiB -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2004-Oct-20 13:39 UTC
[Samba] Issues/Questions about Samba 3.x.x versus it's Worki ng Status
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Melfi.Marcello@hydro.qc.ca wrote: | 1. The question 1 was about not using winbindd when | in ADS security mode. Is the answer still Yes? I know that | it is true when in DOMAIN security mode. Yes. But see my posting yesterday about username mapping semnatics in the current code. | 2. About Question 6, from your answer, my understanding is | that the Samba server must be in the same domain as | the Win2K/Win2K3 server. In other words the full name of | these machines would be "sambaserver.domaineA.com" and | "win2kserver.domaineA.com". Is this true whether it is | with the DOMAIN or ADS security mode? The short answer anser to your question is that you should just join the Samba box and Windows box to the same domain. But Samba does have as close ties with the DNS domain as Windows does. But what you asking is more of a general question about Windows domain security and not necessarily Samba. I really think you should spend some more time reading docs on Windows domains. You need to understand the concept of domain users and groups and what it means to be a member of a Windows domain. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdmp5IR7qMdg1EfYRAkk2AJ9mdSOpbtUX8nHWoSkUbhvm/z04/wCgmOdG yBkiNEoQmeXTzjCCCbJ8mv4=H/VI -----END PGP SIGNATURE-----
Apparently Analagous Threads
- Issues/Questions about Samba 3.x.x versus it's Working Status
- Samba's ADS security mode on Sun Solaris
- Small bug with Samba 3.0.7's smbd process (or just a bad compilation)???
- R-beta: Hypergeometric Probabilities
- 2 log files for the same client workstation accessing a Samba sha re