Windsor Dave L. (AdP/MOE2.12)
2007-Sep-19 19:54 UTC
[Samba] Problem after joining Windows domain: Will Samba support "fallback" to local domain for authentication of local users?
Will Samba support "fallback" to local domain for authentication of local users? I joined a RHEL4 server running Samba 3.0.10-1.4E.11 to a Windows 2000/2003 mixed-mode domain today using "security = domain", after having run for many months in "security = user" mode. Authentication works fine for users defined in the Windows domain, but we have a few users (mainly on manufacturing equipment) who are not in the domain, and are defined in /etc/passwd and an old-fashioned smbpasswd file only. When mapping drives (these are old W2K clients), these users must now use "<servername>\<username>" for their username, or the server will try to authenticate to the domain and get a NT_STATUS_NO_SUCH_USER error. I seem to recall that an old server we used to have that ran Samba 2.2.x in "security = domain" mode would try to authenticate against the domain first, then fall back to the smbpasswd file if that failed, so authentication of locally defined users was transparent. Is there a way to make Samba3 "fall back" to the smbpasswd file if the user is not in the Windows domain? I've experimented a bit with passdb backend, but I haven't seen any difference. Of course, I can just go to all the production equipment and remap the drives, but there are quite a few of them, and I'm trying to avoid the downtime. Thanks for any advice! Best Regards, Dave Windsor Robert Bosch LLC Team Leader, Test Systems Engineering: Hybrid ECU/TCU (AdP/MOE2.1) 4421 Highway 81 North Anderson, SC 29621 USA www.bosch.us <http://www.bosch.us> Tel: 1 (864) 260-8459 Fax: 1 (864) 260-8142 Dave.Windsor@us.bosch.com <mailto:Dave.Windsor@us.bosch.com>
Felipe Augusto van de Wiel
2007-Sep-20 15:58 UTC
[Samba] Problem after joining Windows domain: Will Samba support "fallback" to local domain for authentication of local users?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Windsor Dave L. (AdP/MOE2.12) wrote, On 19-09-2007 16:45:> Will Samba support "fallback" to local domain for authentication of > local users? > > I joined a RHEL4 server running Samba 3.0.10-1.4E.11 to a Windows > 2000/2003 mixed-mode domain today using "security = domain", after > having run for many months in "security = user" mode. Authentication > works fine for users defined in the Windows domain, but we have a few > users (mainly on manufacturing equipment) who are not in the domain, and > are defined in /etc/passwd and an old-fashioned smbpasswd file only. > When mapping drives (these are old W2K clients), these users must now > use "<servername>\<username>" for their username, or the server will try > to authenticate to the domain and get a NT_STATUS_NO_SUCH_USER error.You can join the machine on the domain, use 'security = user' and uses winbind to authenticate all your users local. Because you can use winbind to have users via NSS and then, both your users from DOMAIN and from passwd/shadow will be available. :-) Probably you'll need some magic to auto-add them to the local backend, but it seems more like what you want.> I seem to recall that an old server we used to have that ran Samba 2.2.x > in "security = domain" mode would try to authenticate against the domain > first, then fall back to the smbpasswd file if that failed, so > authentication of locally defined users was transparent. > > Is there a way to make Samba3 "fall back" to the smbpasswd file if the > user is not in the Windows domain? I've experimented a bit with passdb > backend, but I haven't seen any difference. Of course, I can just go to > all the production equipment and remap the drives, but there are quite a > few of them, and I'm trying to avoid the downtime."security = server" is deprecated but it might do something similar to what you want, anyway, you should check the Account Information chapter to get more detail on how to use the "security" parameter and how other parameters must be tweaked according to your choice. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html And because of the encryption and other options, I'm not sure about the best way to configure the fallback idea. Good luck. Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG8ph2Cj65ZxU4gPQRCKraAJ9otNF69ZCCj+oNimofgVmg34YK3ACcCl3C JqUGmEzjwlfeREJXLwL5jO4=Ycci -----END PGP SIGNATURE-----