domain authentication with nt

[Dan Christopherson]

Jason Brooks wrote:
> 
> Hello.
> 
> I would like my samba server to pass all authentication requests to another
> NT PDC.  I think I have this but I need to verify something: I think if the
> pdc returns authorization ok, connection is allowed to the samba server.  If
> the pdc is down, or denies authentication, the samba server then checks the
> smbpasswd file.  What I am unclear on is ensuring there doesn't need to be
> an entry in the smbpasswd file or the local passwd file in order to
> authenticate (assuming the NT server would authenticate of course).  can
> this be explicity configured?
The short answer is: you don't need smbpasswd, you'll be hurtin' if you
don't have /etc/passwd entries, but there are a couple of workarounds
for the latter.

Now the long answer (bear in mind that there is always someone out there
who knows this better than I):
When you use encrypted passwords to authenticate against a PDC, samba
_cannot_ _authenticate_ against the local (*nix) passwd database. It
does need to look up the user's pw entry to get their (unix) UID and
their (unix) groups, so that it knows who to become for file operations
(so that the unix security is enforced), and so that it can map a home
directory.

I have no smbpasswd file on my file servers, so it definately isn't
neccessary.

If the user isn't found in the local passwd file (or NIS, if that's what
you use), samba will map that user to the 'guest' user (happens to be
nobody on my solaris 2.6 boxen). In this case, the user won't be able to
see a home directory, of course. This may be effected by the 'guest ok'
parameter for the shares, but I can't recall at this point (i've got all
my users with matching names in the two databases now). The hurtin' part
of map to guest bit is that you need to have any file that any of these
users needs to be accessable by the guest user, which is something I
really don't like from a security standpoint (can't separate groups,
everything can be read by anyone who manages to set up an smb session -
make sure you set up your 'hosts allow' parameter if nothing else).

There is also the 'add user script' global option that you can use to
add users on the fly, if neccessary. This may be more to your liking: at
least this way you wouldn't need to explicately add matching users in
both user databases.

> 
> Next thought:  I have managed to get mod_auth_pam for apache functioning (I
> think) and pam_smb to function: for example, I modified my linux login
> process to authenticate with the NT server instead of with the onboard
> passwd file.  The problem seems to be that I must have an entry in the
> smbpasswd file in order to be allowed access once authentication is granted
> from the nt server.  
I'm using mod_auth_samba for much the same purpose. But I haven't
configured pam_smb (mod_auth_samba requires its presence). This doesn't
require the existence of an smbpasswd file, since I point it explicately
at my (NT) PDC.
With pam_smb, how do logins (shell processes, etc.) find the user's home
directory? 

> This is my testing so far.  eventually, I need to be
> able to authenticate customers from my apache server via smb vice the
> current system (mysql).  Plus, When it does fail, I can't seem to determine
> if the nt server refuses me or there is some handling error.  any
> suggestions?
As to the first, you can specify different authentication schemes for
different realms in apache, so as long as you want your customers and
staff to access different directory trees, you should be able to
configure it right.
As for the second, I'm authenticating through a different path than you,
but am also somewhat annoyed by the lack of loggin just what went on.


I hope that helped
danch