No subject
Tue Dec 2 02:23:37 GMT 2003
samba server and have to install clear text registry patches. Its just
two little items for the home user to deal with but even two little items
like that can be kind of confusing for a lot of people and as I say I've
currently got them spoiled.
By the way, the other nice thing about pam_smb is that people will always
have the option of FTPing in with their NTdomain userid and password and
have access to all their files that way no matter where they are or how
the machine they are using is configured. I set up pam_smb Monday
morning and it was so easy as to be unbelievable. I had no trouble
whatsoever even though I was doing it on Solaris 5.8 and the pam_smb
documentation only claims to work with Solaris 2.6.
Thanks for reading.
Tom Schaefer
Unix Administrator
University of Missouri St. Louis
Return-Path: <gustavo.michels at emersonenergy.com>
Delivered-To: samba-ntdom at lists.samba.org
Received: from ukproxy1.emrsn.co.uk (smtpmail.emrsn.co.uk
[194.202.166.141]) by lists.samba.org (Postfix) with ESMTP id
A1216419D for <samba-ntdom at lists.samba.org>; Thu, 9 Aug 2001 10:02:54
-0700 (PDT)
Received: from etstest01.emrsn.co.uk ([129.76.102.20]) by
ukproxy1.emrsn.co.uk (8.9.3/8.9.3) with SMTP id QAA16866 for
<samba-ntdom at lists.samba.org>; Thu, 9 Aug 2001 16:39:23 +0200
Received: from 129.254.5.5 by etstest01.emrsn.co.uk (InterScan E-Mail
VirusWall NT); Thu, 09 Aug 2001 18:08:25 +0100 (GMT Daylight Time)
Received: from mxsemeacn2.emrsn.co.uk (mxsemeacn2.emrsn.co.uk
[129.254.5.203]) by etsdns2.emrsn.co.uk (8.9.3/8.9.3) with ESMTP id
SAA26105 for <samba-ntdom at lists.samba.org>; Thu, 9 Aug 2001 18:05:23
GMT
Received: by mxsemeacn2.emrsn.co.uk with Internet Mail Service
(5.5.2653.19) id <Q36R0FTZ>; Thu, 9 Aug 2001 18:07:32 +0100
Message-ID: <7F0147C496F3D411813C0002B32BF1CCF99D68 at eesekkex001.kkekant.
ericsson.se>
From: "Michels, Gustavo [EES/BR]" <gustavo.michels at emersonenergy.com>
To: samba-ntdom at lists.samba.org
Subject: RE: Share level access with domain security?
Date: Thu, 9 Aug 2001 18:06:31 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: samba-ntdom-admin at lists.samba.org
Errors-To: samba-ntdom-admin at lists.samba.org
X-BeenThere: samba-ntdom at lists.samba.org
X-Mailman-Version: 2.0beta6
Precedence: bulk
List-Help: <mailto:samba-ntdom-request at lists.samba.org?subject=help>
List-Post: <mailto:samba-ntdom at lists.samba.org>
List-Subscribe: <http://lists.samba.org/listinfo/samba-ntdom>, <mailto:samba-ntdom-request at lists.samba.org?subject=subscribe>
List-Id: Using Samba with Windows NT domains <samba-ntdom.lists.samba.org>
List-Unsubscribe: <http://lists.samba.org/listinfo/samba-ntdom>, <mailto:samba-ntdom-request at lists.samba.org?subject=unsubscribe>
List-Archive: http://lists.samba.org/pipermail/samba-ntdom/
Thomas,
I'll be honest, I didn't read it to the end :), but as I was reading I
thought your solution might be using winbind to authenticate your users
using the NT DC.
This way, you won't need to maintain any user databases in the unix machine.
Hope that helps.
Cheers
Gustavo
-----Original Message-----
From: Thomas R. Schaefer [mailto:schaefer at tomcat.umsl.edu]
Sent: quinta-feira, 9 de agosto de 2001 13:55
To: samba-ntdom at lists.samba.org
Subject: Share level access with domain security?
First off, a BIG THANKYOU!! to all the Samba developers. I work at the
University of Missouri St. Louis and we've been making extensive use
of Samba since about October and have even bigger and better plans for it
yet.
I have only one question and then a bunch of background information on
why I ask just in case your in the mood to read.
My one and only question is:
Does anyone know a way to set up samba with share level security, use an
NT domain controller for authentication, and not have to install a clear
text registry patch on the client? The passed sharename should serve as
the username, prompt for the password, and authenticate to PDC.
I can come very close to this goal by using pam_smb and compiling samba
with pam support. It works but it necessitates clear text passwords
between the client and samba server meaning registry patches on the
clients. I'm going to have to settle for it though unless one of you all
can come up with something I haven't though of or am not aware of.
Why I ask:
We are going to be setting up a Samba server with domain security and
eventually all of our 1000+ Windows desktop machines used by faculty and
staff are going to be mapping at least one network drive off it. The
desktop machines will log into an NT domain (with an actual NT box as the
domain controller) and a logon script on the domain controller will map a
drive for them off the Samba server.
Thats all fine and dandy, I've worked that out and done some testing, no
problems, its quite simple really, wonderful!! Thanks again Samba
developers.
The rub comes in that the Samba servers I've got set up currently are
using share level security with a /usr/local/samba/private/smbpasswd file
to allow for encryption and to prevent the need for the clear text
registry patches. The really nice thing about it, and something the head
of our IT department absolutely loves, is that this setup makes it a very
simple matter to use our Samba server even when the users are at home
dialed in on a modem connection. It doesn't matter that a home user's
Win 9x box doesn't have our NT domain configured as their workgroup or
that they don't log into Windows at home with with their on campus
NTdomain userid. It just doesn't matter because because all these people
are accessing is their home directories on the UNIX box so at home they
just specify \\server\sharename and the samba server uses the sharename
as the userid, (username = %S) prompts for the password and BINGO their
in, no muss no fuss no matter what goofy workgroup and userid they are
actually using on that home system.
Like I say though now we are going to big time with a new Samba server
that every machine on campus will eventually connect to and use domain
security. The problem is I've got my current users spoiled, particularly
my bosses boss (getting the picture?) with share level security and the
super easy access from home that as far as I can tell I'm not going to be
able to duplicate with domain security since with domain security the
share name isn't passed until AFTER a successful authentication.
I'm definately going to go with domain security in our big campus wide
move to Samba because the advantages are many for usage on campus which
it primarily will be used for but it sucks that now home users are going
to have to reconfigure their PC's with our domain as the workgroup,
delete their .pwl files and login to Windows with their on campus NT
userid. At least NT users from home won't have to do any reconfiguring
but they will have to learn to "Connect As:" (why oh why doesn't Win 9x
give a Connect As option) \\NTDOMAIN\userid
Yeah I know its quite simple really for us IT people but I'm supporting
hundreds of just plain ordinary folks, lots of secretaries and the like
for whom any sort of reconfiguring of the home PC is no simple matter.
IDEALLY home users would be able to continue using the new Samba server
with domain security the same as they do now with share security and not
have to reconfigure their machines. I don't see how that's possible
though, (somebody please correct me if I'm wrong)
Like I say though, unless any of you all has a better idea, what I'll
probably end up with is running two samba servers or a "hybrid" Samba
server with two netbios names, one for domain authentication on campus
and one with share level authentication for usage from home, encrypt
passwords = no on the share level samba server and have it using pam_smb.
More information about the samba-ntdom
mailing list