No subject

samba server and have to install clear text registry patches.  Its just 
two little items for the home user to deal with but even two little items 
like that can be kind of confusing for a lot of people and as I say I've 
currently got them spoiled.

By the way, the other nice thing about pam_smb is that people will always 
have the option of FTPing in with their NTdomain userid and password and 
have access to all their files that way no matter where they are or how 
the machine they are using is configured.  I set up pam_smb Monday 
morning and it was so easy as to be unbelievable.  I had no trouble 
whatsoever even though I was doing it on Solaris 5.8 and the pam_smb 
documentation only claims to work with Solaris 2.6.

Thanks for reading.

Tom Schaefer
Unix Administrator
University of Missouri St. Louis

Return-Path: <gustavo.michels at emersonenergy.com>
Delivered-To: samba-ntdom at lists.samba.org
Received: from ukproxy1.emrsn.co.uk (smtpmail.emrsn.co.uk
  [194.202.166.141]) by lists.samba.org (Postfix) with ESMTP id
  A1216419D for <samba-ntdom at lists.samba.org>; Thu,  9 Aug 2001 10:02:54
  -0700 (PDT)
Received: from etstest01.emrsn.co.uk ([129.76.102.20]) by
  ukproxy1.emrsn.co.uk (8.9.3/8.9.3) with SMTP id QAA16866 for
  <samba-ntdom at lists.samba.org>; Thu, 9 Aug 2001 16:39:23 +0200
Received: from 129.254.5.5 by etstest01.emrsn.co.uk (InterScan E-Mail
  VirusWall NT); Thu, 09 Aug 2001 18:08:25 +0100 (GMT Daylight Time)
Received: from mxsemeacn2.emrsn.co.uk (mxsemeacn2.emrsn.co.uk
  [129.254.5.203]) by etsdns2.emrsn.co.uk (8.9.3/8.9.3) with ESMTP id
  SAA26105 for <samba-ntdom at lists.samba.org>; Thu, 9 Aug 2001 18:05:23
  GMT
Received: by mxsemeacn2.emrsn.co.uk with Internet Mail Service
  (5.5.2653.19) id <Q36R0FTZ>; Thu, 9 Aug 2001 18:07:32 +0100
Message-ID: <7F0147C496F3D411813C0002B32BF1CCF99D68 at eesekkex001.kkekant.
  ericsson.se>
From: "Michels, Gustavo [EES/BR]" <gustavo.michels at emersonenergy.com>
To: samba-ntdom at lists.samba.org
Subject: RE: Share level access with domain security?
Date: Thu, 9 Aug 2001 18:06:31 +0100 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: samba-ntdom-admin at lists.samba.org
Errors-To: samba-ntdom-admin at lists.samba.org
X-BeenThere: samba-ntdom at lists.samba.org
X-Mailman-Version: 2.0beta6
Precedence: bulk
List-Help: <mailto:samba-ntdom-request at lists.samba.org?subject=help>
List-Post: <mailto:samba-ntdom at lists.samba.org>
List-Subscribe: <http://lists.samba.org/listinfo/samba-ntdom>, <mailto:samba-ntdom-request at lists.samba.org?subject=subscribe>
List-Id: Using Samba with Windows NT domains <samba-ntdom.lists.samba.org>
List-Unsubscribe: <http://lists.samba.org/listinfo/samba-ntdom>, <mailto:samba-ntdom-request at lists.samba.org?subject=unsubscribe>
List-Archive: http://lists.samba.org/pipermail/samba-ntdom/

Thomas,

I'll be honest, I didn't read it to the end :), but as I was reading I
thought your solution might be using winbind to authenticate your users
using the NT DC. 

This way, you won't need to maintain any user databases in the unix machine.

Hope that helps.

Cheers
Gustavo

-----Original Message-----
From: Thomas R. Schaefer [mailto:schaefer at tomcat.umsl.edu] 
Sent: quinta-feira, 9 de agosto de 2001 13:55
To: samba-ntdom at lists.samba.org
Subject: Share level access with domain security?


First off, a BIG THANKYOU!! to all the Samba developers.  I work at the
University of Missouri St. Louis and we've been making extensive use 
of Samba since about October and have even bigger and better plans for it 
yet.

I have only one question and then a bunch of background information on 
why I ask just in case your in the mood to read.

My one and only question is:

Does anyone know a way to set up samba with share level security, use an 
NT domain controller for authentication, and not have to install a clear 
text registry patch on the client? The passed sharename should serve as 
the username, prompt for the password, and authenticate to PDC.  

I can come very close to this goal by using pam_smb and compiling samba 
with pam support.  It works but it necessitates clear text passwords 
between the client and samba server meaning registry patches on the 
clients.  I'm going to have to settle for it though unless one of you all 
can come up with something I haven't though of or am not aware of.

Why I ask:

We are going to be setting up a Samba server with domain security and 
eventually all of our 1000+ Windows desktop machines used by faculty and 
staff are going to be mapping at least one network drive off it.  The 
desktop machines will log into an NT domain (with an actual NT box as the 
domain controller) and a logon script on the domain controller will map a 
drive for them off the Samba server.

Thats all fine and dandy, I've worked that out and done some testing, no 
problems, its quite simple really, wonderful!!  Thanks again Samba 
developers.

The rub comes in that the Samba servers I've got set up currently are 
using share level security with a /usr/local/samba/private/smbpasswd file 
to allow for encryption and to prevent the need for the clear text 
registry patches.  The really nice thing about it, and something the head 
of our IT department absolutely loves, is that this setup makes it a very 
simple matter to use our Samba server even when the users are at home 
dialed in on a modem connection.  It doesn't matter that a home user's 
Win 9x box doesn't have our NT domain configured as their workgroup or 
that they don't log into Windows at home with with their on campus 
NTdomain userid.  It just doesn't matter because because all these people 
are accessing is their home directories on the UNIX box so at home they 
just specify \\server\sharename and the samba server uses the sharename 
as the userid, (username = %S) prompts for the password and BINGO their 
in, no muss no fuss no matter what goofy workgroup and userid they are 
actually using on that home system.

Like I say though now we are going to big time with a new Samba server 
that every machine on campus will eventually connect to and use domain 
security.  The problem is I've got my current users spoiled, particularly 
my bosses boss (getting the picture?) with share level security and the 
super easy access from home that as far as I can tell I'm not going to be 
able to duplicate with domain security since with domain security the 
share name isn't passed until AFTER a successful authentication.

I'm definately going to go with domain security in our big campus wide 
move to Samba because the advantages are many for usage on campus which 
it primarily will be used for but it sucks that now home users are going 
to have to reconfigure their PC's with our domain as the workgroup, 
delete their .pwl files and login to Windows with their on campus NT 
userid.  At least NT users from home won't have to do any reconfiguring 
but they will have to learn to "Connect As:" (why oh why doesn't Win 9x 
give a Connect As option) \\NTDOMAIN\userid

Yeah I know its quite simple really for us IT people but I'm supporting 
hundreds of just plain ordinary folks, lots of secretaries and the like 
for whom any sort of reconfiguring of the home PC is no simple matter.

IDEALLY home users would be able to continue using the new Samba server 
with domain security the same as they do now with share security and not 
have to reconfigure their machines.  I don't see how that's possible 
though, (somebody please correct me if I'm wrong)

Like I say though, unless any of you all has a better idea, what I'll 
probably end up with is running two samba servers or a "hybrid" Samba 
server with two netbios names, one for domain authentication on campus 
and one with share level authentication for usage from home, encrypt 
passwords = no on the share level samba server and have it using pam_smb.