Greg Chavez
2004-Nov-17 20:48 UTC
[Samba] winbind: authenticating UNIX user before Win Domain user
We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain
member (security = domain) to a win2k pdc (clouds) for the domain DOM.
We have several unix users and two Win-only users. The unix users
have matching AD accounts on the win2k, but the Win-only users do not
have unix accounts (and we want to keep it that way). So, it seemed
that winbind would be the best way to bridge the gap:
1. UNIX users could access shares on the samba server in the same way
whether logged on to windows workstation or the samba server itself
2. Files created on the shares would be controlled via permissions
for UNIX users and groups.
3. Win users would not need to have UNIX accounts created, but could
access the samba shares as easily as the UNIX users.
4. Home directories and profiles will be pulled from the samba server.
It works well exept that winbind does not authenticate the UNIX users
as expected when they logon from Windows. For example: from Windows
workstation, I log on as "gchavez". There is a UNIX user on the samba
server "gchavez" which I expect winbind to authenticate against when I
try to access the samba shares. This does not happen. Instead,
winbind authenticates against the win2k server with my Win account,
DOM+gchavez, and things don't work (although it does manage to map my
home directory correctly).
Consequently, I come in with Windows group permissions (DOM+Domain
Users) and cannot access the shares protected with UNIX group
permissions. I am trying to keep this message short, but these
command line vitals should tell the rest of the story.
shell> tesparm -sv
[global]
workgroup = DOM
security = DOMAIN
passdb backend = tdbsam
username map = /etc/samba/smbusers
log level = 2
client use spnego = No
preferred master = No
local master = No
domain master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
valid users = +users, "DOM+Domain Users"
force group = +users
read only = No
create mask = 0660
directory mask = 01770
[homes]
comment = "DOM Home Directories"
path = /usera/home/%U/winhome
create mask = 0600
directory mask = 0740
browseable = No
[docs]
comment = "Product Documentation - full access"
path = /usera/docs
[programs]
comment = "Shared Programs - full access"
path = /usera/programs
[backups]
comment = "Backups"
path = /usera/backups
[projects]
comment = "Project Files - full access"
path = /usera/projects
[proj_psc]
comment = "PSC Project - restricted"
path = /usera/projects/psc
valid users = +psc
force group = +psc
shell> getent passwd | grep gchavez
gchavez:x:503:503:Greg Chavez:/home/gchavez:/bin/bash
DOM+gchavez:x:10007:10000:Greg Chavez:/home/OSDS/gchavez:/bin/false
** this happens when I try to access my homes share from windows, the
shares are chmod'd with full permission so I can get in ***
shell> tail /var/log/samba/smb.log
[2004/11/17 15:09:12, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [gchavez] -> [gchavez]
-> [DOM+gchavez] succeeded
[2004/11/17 15:09:14, 2] smbd/uid.c:change_to_user(202)
change_to_user: SMB user (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2004/11/17 15:09:14, 0] smbd/service.c:make_connection_snum(570)
Can't become connected user!
[2004/11/17 15:09:14, 1] smbd/service.c:make_connection_snum(648)
sunfish (xx.93.106.16) connect to service gchavez initially as user
DOM+gchavez (uid=10007, gid=10000) (pid 3312)
# net groupmap list | grep users
Domain Users (S-1-5-21-1316288518-2476102628-626236970-513) -> users
# grep winbind /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Thanks
--Greg Chavez
Luke Mewburn
2004-Nov-18 06:54 UTC
[Samba] winbind: authenticating UNIX user before Win Domain user
On Wed, Nov 17, 2004 at 03:48:06PM -0500, Greg Chavez wrote: | We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain | member (security = domain) to a win2k pdc (clouds) for the domain DOM. | We have several unix users and two Win-only users. The unix users | have matching AD accounts on the win2k, but the Win-only users do not | have unix accounts (and we want to keep it that way). So, it seemed | that winbind would be the best way to bridge the gap: | | 1. UNIX users could access shares on the samba server in the same way | whether logged on to windows workstation or the samba server itself | 2. Files created on the shares would be controlled via permissions | for UNIX users and groups. | 3. Win users would not need to have UNIX accounts created, but could | access the samba shares as easily as the UNIX users. | 4. Home directories and profiles will be pulled from the samba server. | | It works well exept that winbind does not authenticate the UNIX users | as expected when they logon from Windows. I have the same requirement; except samba can't currently do this. See: http://lists.samba.org/archive/samba/2004-October/094981.html I implemented a "trim default domain" option and provided a patch in: http://www.dragoninc.on.ca/mail-archives/samba-technical/2004-10/0342.html (I would suggest the "canonical" mailing list URL http://lists.samba.org/archive/samba-technical/2004-October/037813.html except the mailing list archive software there borked the message.) The rest of the thread on samba-technical has more details. Cheers, Luke. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20041118/f8a01a38/attachment.bin