Kyle Manel
2016-Aug-24 20:04 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
I've been working through a guide documenting how to do this at https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am presently deciphering what needs I have in my winbind configuration. In doing so, I've come across the 'passdb backend = ldapsam' option and am curious if I can use this, and if it is wise, identifying that key exchange is complex and a vulnerability at times, but it does provide no local storage of pw either, which may be a greater vulnerability. Any insight into this, or if this passdb option even works as I believe it to would be valuable to me, Kyle
Rowland Penny
2016-Aug-24 21:09 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
On Wed, 24 Aug 2016 20:04:24 +0000 Kyle Manel via samba <samba at lists.samba.org> wrote:> I've been working through a guide documenting how to do this at > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > and am presently deciphering what needs I have in my winbind > configuration. In doing so, I've come across the 'passdb backend > ldapsam' option and am curious if I can use this, and if it is wise, > identifying that key exchange is complex and a vulnerability at > times, but it does provide no local storage of pw either, which may > be a greater vulnerability. > > Any insight into this, or if this passdb option even works as I > believe it to would be valuable to me, KyleNo it wouldn't, 'ldapsam' is meant to be used with an ldap based system, like a standalone server or an NT4-style PDC. Just follow the instructions on the wiki page you have referred to and if you do not understand anything, just ask. Basically it boils down to, do you have access to the AD DC and is the DC 2008R2 or earlier. if you have access and it isn't a 2012 server, you can add IDMU and then add RFC2307 attributes with the Unix Attributes tab in ADUC. You can then use the winbind 'ad' backend. If you don't have access, or don't want to do the above, use the winbind 'rid' backend. Rowland
Michael A Weber
2016-Aug-24 21:21 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
Kyle— Keep it simple and follow the guide you linked, and Rowland’s rid recommendation, and you’ll be set. Mike> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at lists.samba.org> wrote: > > I've been working through a guide documenting how to do this at https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am presently deciphering what needs I have in my winbind configuration. > In doing so, I've come across the 'passdb backend = ldapsam' option and am curious if I can use this, and if it is wise, identifying that key exchange is complex and a vulnerability at times, but it does provide no local storage of pw either, which may be a greater vulnerability. > > Any insight into this, or if this passdb option even works as I believe it to would be valuable to me, > Kyle > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Kyle Manel
2016-Aug-26 15:11 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
I've completed the configuration specified, and the command 'wbinfo -g' provides a list of the groups available and 'wbinfo -u' provides a list of all the users on the system, but I cannot access the shares; When I navigate a file explorer to \\ip.ad.dre.ss I am presented with a login screen, which I cannot log into with my ID; 'The user name or password is incorrect' I suspect an issue with my idmap configuration: [global] netbios name = FILESERVER-001 security = ADS workgroup = SUBDOMAIN realm = SUBDOMAIN.DOMAIN.COM log file = /var/log/samba/%m.log log level = 1 idmap config CORP: backend = ad idmap config CORP: schema_mode = rfc2307 idmap config CORP: range = 1000-9999999999 idmap uid = 50-9999999999 idmap gid = 50-9999999999 winbind nss info = rfc2307 allow dns updates = nonsecure [public] path = /srv/samba/share available = yes read only = no browsable = yes public = yes guest ok = yes writable = yes Regards, Kyle -----Original Message----- From: Michael A Weber [mailto:mweber.subscriptions01 at gmail.com] Sent: Wednesday, August 24, 2016 5:21 PM To: Kyle Manel <Kyle.Manel at inbaytech.com> Cc: samba at lists.samba.org Subject: Re: [Samba] Configuration of smb.conf for Active Directory authentication Kyle— Keep it simple and follow the guide you linked, and Rowland’s rid recommendation, and you’ll be set. Mike> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at lists.samba.org> wrote: > > I've been working through a guide documenting how to do this at https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am presently deciphering what needs I have in my winbind configuration. > In doing so, I've come across the 'passdb backend = ldapsam' option and am curious if I can use this, and if it is wise, identifying that key exchange is complex and a vulnerability at times, but it does provide no local storage of pw either, which may be a greater vulnerability. > > Any insight into this, or if this passdb option even works as I > believe it to would be valuable to me, Kyle > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Configuration of smb.conf for Active Directory authentication
- Configuration of smb.conf for Active Directory authentication
- Configuring Samba as a file server to use AD authentication
- Configuration of smb.conf for Active Directory authentication
- Configuring Samba as a file server to use AD authentication