> Da: "Rowland Penny" <rpenny at samba.org> > A: samba at lists.samba.org > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > Inviato: Mercoledì, 24 maggio 2017 12:45:56 > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > On Wed, 24 May 2017 12:08:09 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > Hi Rowland, I did a reply to the list (just to the list, not to all) > > some hours ago, but I can't see it on the thread, so I am resend it > > just to you: > > > > Thank you Rowland for your prompt reply. For what I read is possible > > to use samba without winbind: > > See: > > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html > > > > There is this note in that doc: > > If winbindd is not running, smbd (which calls winbindd) will fall > > back to using purely local information from /etc/passwd > > and /etc/group and no dynamic mapping will be used. On an operating > > system that has been enabled with the NSS, the resolution of user and > > group information will be accomplished via NSS. > > > > I whish to restrict access just to users presents in /etc/passwd. > > With winbind I have to adopt some workarounds to meet the unix uid > > with windows sid and I am trying to avoid it > > > > Daniele > > It sounds like you are trying to set up a standalone server, so see > here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > On this type of Samba server you need the users in /etc/passwd, but > they still need to be Samba users. So you will need to create any users > that you want to connect and ensure they have the same password as the > windows user > > e.g. windows user 'fred' with the password 'password' will need to be > created as the Unix user 'fred' with the password 'password' on the > standalone server, you will then need to make the Unix user 'fred' a > Samba user with the password 'password' > > If the windows user changes their password, then the Unix & Samba > passwords will need to be changed. > > Where as, a Unix Domain member , only has the username and password > stored in one place, AD. > > Rowland > > >So far for standalone server, Rowland, but is not possible to authenticate (just autenticate) on active directory? This configuration is now working on another server with samba 3 ... access is allowed to users declared in /etc/passwd (these users do not have a unix password) and the client use transparently the password they supplied at login time. I am not able to reply this configuration in samba 4 thank you
On Wed, 24 May 2017 12:54:48 +0200 (CEST) Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:> > So far for standalone server, Rowland, but is not possible to > authenticate (just autenticate) on active directory? This > configuration is now working on another server with samba 3 ... > access is allowed to users declared in /etc/passwd (these users do > not have a unix password) and the client use transparently the > password they supplied at login time. I am not able to reply this > configuration in samba 4 >I cannot see how this will work, to authenticate to AD your computer would have to be joined to the domain, at which point your user would have to only be in AD. I am not saying it will not work, I just don't understand how it can. Can you post the smb.conf from the Samba 3 machine ? Rowland
It might work if you use winbind with the idmap_nss module. See here: https://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html Or maybe this is deprecated? Regards Christian Am Mittwoch, den 24.05.2017, 12:12 +0100 schrieb Rowland Penny via samba:> On Wed, 24 May 2017 12:54:48 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > So far for standalone server, Rowland, but is not possible to > > authenticate (just autenticate) on active directory? This > > configuration is now working on another server with samba 3 ... > > access is allowed to users declared in /etc/passwd (these users do > > not have a unix password) and the client use transparently the > > password they supplied at login time. I am not able to reply this > > configuration in samba 4 > > > > I cannot see how this will work, to authenticate to AD your computer > would have to be joined to the domain, at which point your user would > have to only be in AD. I am not saying it will not work, I just don't > understand how it can. > > Can you post the smb.conf from the Samba 3 machine ? > > Rowland > > >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
----- Messaggio originale -----> Da: "Rowland Penny" <rpenny at samba.org> > A: samba at lists.samba.org > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > Inviato: Mercoledì, 24 maggio 2017 13:12:07 > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > On Wed, 24 May 2017 12:54:48 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > So far for standalone server, Rowland, but is not possible to > > authenticate (just autenticate) on active directory? This > > configuration is now working on another server with samba 3 ... > > access is allowed to users declared in /etc/passwd (these users do > > not have a unix password) and the client use transparently the > > password they supplied at login time. I am not able to reply this > > configuration in samba 4 > > > > I cannot see how this will work, to authenticate to AD your computer > would have to be joined to the domain, at which point your user would > have to only be in AD. I am not saying it will not work, I just don't > understand how it can. > > Can you post the smb.conf from the Samba 3 machine ? > > Rowland > > >Samba servers (ver 3 or 4) and clients are all joined to domain. Here's the global of smb.conf version 3: [global] workgroup = CED realm = CED.AOS server string = file sharing server security = ADS allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : range = idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j
Why isnt anybody thinking about ldap? Pam_ldap in special. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: woensdag 24 mei 2017 13:43 > Aan: Rowland Penny; samba at lists.samba.org > CC: Daniele Bernazzi > Onderwerp: Re: [Samba] samba 4 in AD 2008R2 without winbind > > It might work if you use winbind with the idmap_nss module. See here: > > https://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html > > Or maybe this is deprecated? > > > Regards > > Christian > > Am Mittwoch, den 24.05.2017, 12:12 +0100 schrieb Rowland > Penny via samba: > > On Wed, 24 May 2017 12:54:48 +0200 (CEST) Daniele Bernazzi > > <daniele at ao-siena.toscana.it> wrote: > > > > > > > > So far for standalone server, Rowland, but is not possible to > > > authenticate (just autenticate) on active directory? This > > > configuration is now working on another server with samba 3 ... > > > access is allowed to users declared in /etc/passwd (these > users do > > > not have a unix password) and the client use transparently the > > > password they supplied at login time. I am not able to reply this > > > configuration in samba 4 > > > > > > > I cannot see how this will work, to authenticate to AD your > computer > > would have to be joined to the domain, at which point your > user would > > have to only be in AD. I am not saying it will not work, I > just don't > > understand how it can. > > > > Can you post the smb.conf from the Samba 3 machine ? > > > > Rowland > > > > > > > > -- > Dr. Christian Naumer > Research Scientist > Plattform-Koordinator Bioprozesstechnik > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail > cn at brain-biotech.de, homepage www.brain-biotech.de > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel > Aufsichtsratsvorsitzender: Dr. Ludger Mueller > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >