NT user authentication
Andrej Borsenkow
borsenkow.msk at sni.de
Thu Dec 3 14:15:00 GMT 1998
>
> Yes this is how it works. It is also how Samba 2.0 works
> also. Don't know about the HEAD branch as that has so
> widely diverged at the moment.
>
Mostly the same ... There is one thing that nags me. The followin applies to
2.1 branch.
The SAMBA as member of NT poses a problem, what to do if Unix user with the
same name as domain user exists, but does not have explicit NT->Unix
mapping. Luke writes, that any user not explicitly mapped is assumed to be
local. This is _not_ as it currently works (and is a bit different anyway)
The possible ways to deal with such users can be
1. automatically generate Unix account
quite suitable for dedicated SAMBA server without interactive access.
You simply
plug it onto NT domain and let running.
2. reject these users (remember, they _are_ authenticated from PDC already)
it may be quite reasonable for Unix admins wishing full control over who
can connect to there
box. Anything not allowed is prohibited ... The user may be presented
with something like
"local policy not allows you to connect" (if at all possible) To
connect, such users would
need to specify SAMBA domain and be authenticated with local password
database - again
completely under control of local admin
3. connect with guest (or any fallback account)
mild version of 2, that provides for anonymous file server for large
amount of users, while
giving Unix admin the same level of control. The only problem is, it may
be a bit unexpected
for users ...
4. connect with matching Unix user rights
the worst case. It means, that it is possible to simply create matching
NT account
and access SAMBA server as Unix user. What is even worse, if there are
trusted domains,
then such user can be created in _any_ trusted domain - it is a bit too
much for me
For any server that is not used exclusively for SAMBA I favour the 2 and 3
with smb.conf option to control behaviour. Current SAMBA implements 4 -
sigh.
/andrej
More information about the samba-ntdom
mailing list