DeStefano, Paul
2004-Oct-29 16:16 UTC
[Samba] winbind name service required for active directory (ADS) authentication and group-based authorization?
Hello Samba Gurus, Is using the winbind name service required in order to get authentication AND authorization via ADS? I'll explain further. Goal: create samba share for which clients are authenticated via native ADS and access is based on ADS group membership. I've actually done this in the old Windows NT world. Worked okay. It's wasn't too hard, except for the winbind piece (see problem below.) But, now, I question the necessity of winbind in the case that samba uses ADS authentication. Problem: On Solaris 8, passwd binary will not accept 'winbind' in /etc/nsswitch.conf. (I've been over this many times. In the past, we wrote an interposer lib for the fopen() call, which I posted, and pre-loaded it on smbd, but libnss has been changed since then and it doesn't work any more...long story.) Solution: ADS, perhaps? I've read lots of documents and they seem to indicated that, when using ADS authentication (by which I mean security=ADS and the proper relm, etc.) winbind is NOT involved in the authentication process. It says smbd participates in Kerberos ticketing, like a normal "Domain Member", to authorize samba clients. (Details found here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html) I think means it gets the client user authorization directly from ADS; winbind is not involved. Well, if that's true, then samba has everything it needs to authorize clients by group membership, not just authenticate users, without consulting winbind. The Kerberos ticket that it receives during authentication includes all sorts of information about the user...including the users group memberships. Is that right? This isn't particular to ADS, I suppose, now that I think about it; probably the same as before ADS. But, I couldn't find any examples of samba using windows authentication without winbind. You're probably wondering what is going to happen after authentication and authorization without winbind to map users to UNIX UIDs. Me too. That's my follow up question. I hope that samba can use the unqualified username (without the 'DOMAIN\' prefix) to find a match using the normal resolution so that we can just populate /etc/passwd. Think that will work? Actually, we intend to use "force user =", as in the past, so it really doesn't matter what happens with the UID mappings, but samba might not be that clever. It may insist on successfully resolving usernames before checking options like "force user". I hope that made sense. It only took me slightly longer to compose this message than to compile samba with krb-auth and test it myself, so I hope someone out there has some insights. To be honest, I did try it, but I'm not sure I compiled it all correctly. It wasn't clear from the errors what was the actual problem. And, I couldn't get it to work *with* winbind, either, so that's why I'm posting. Thank you, Paul __ Paul DeStefano paul.destefano<at>nwdc.net
Luke Mewburn
2004-Oct-29 23:16 UTC
[Samba] winbind name service required for active directory (ADS) authentication and group-based authorization?
On Fri, Oct 29, 2004 at 09:16:02AM -0700, DeStefano, Paul wrote: | Solution: ADS, perhaps? | | I've read lots of documents and they seem to indicated | that, when using ADS authentication (by which I mean | security=ADS and the proper relm, etc.) winbind is NOT | involved in the authentication process. It says smbd | participates in Kerberos ticketing, like a normal "Domain | Member", to authorize samba clients. (Details found here: | http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-me | mber.html) I think means it gets the client user authorization | directly from ADS; winbind is not involved. | | Well, if that's true, then samba has everything it needs to | authorize clients by group membership, not just authenticate users, | without consulting winbind. The Kerberos ticket that it receives | during authentication includes all sorts of information about the | user...including the users group memberships. Is that right? | | This isn't particular to ADS, I suppose, now that I think about it; | probably the same as before ADS. But, I couldn't find any examples | of samba using windows authentication without winbind. | | You're probably wondering what is going to happen after | authentication and authorization without winbind to map users to | UNIX UIDs. Me too. That's my follow up question. I hope that samba | can use the unqualified username (without the 'DOMAIN\' prefix) | to find a match using the normal resolution so that we can just | populate /etc/passwd. Think that will work? Actually, we intend to | use "force user =", as in the past, so it really doesn't matter what | happens with the UID mappings, but samba might not be that clever. | It may insist on successfully resolving usernames before checking | options like "force user". If you have a mapping in the passwd(5) file between the username (without 'DOMAIN\' prefix) and a UID, things should work without needing "winbind" in nsswitch.conf; the user's password is checked against ADS and the passwd(5) entry is used to provide a UID. If there is not a matching entry in passwd(5) for the ADS user, they will not be able to connect. Cheers, Luke. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20041030/cfff21d7/attachment.bin