smbpasswd doubt

Kevin Colby kevinc at grainsystems.com
Wed Aug 23 21:58:59 GMT 2000 

When using security=domain, you (Samba) are a member of an NT domain.
The smbpasswd entries should then be superfluous, as all authentication
is passed up to the DCs.  You _will_ however, need a local Unix account
in order to provide UIDs for these users.

You will need "security=domain", "password server=XXX",
and "workgroup=YYY".  You will also need to join the domain
successfully.  I have used "smbpasswd -j YYY" in the past,
although TNG may require a different approach.  Note that
the machine account must exist _prior_ to attempting to join
the domain, so first create a machine account on your PDC.

	- Kevin Colby
	  kevinc at grainsystems.com


James B Curry wrote:
> 
> Gabriel Zicarelli wrote:
> >
> > Hi all,
> >
> > Even though I read all the documentation in the samba-tarball I still have
> > doubts about having to create the smbpasswd file.
> > I´m using 'security = domain' so if I´m not wrong all authentication goes
> > through the 'passwd server', and then a user´s permission is either granted
> > or rejected .
> (Disclaimer:  I may or may not know what the *&!@ I'm talking about, but
> here goes...)
> 
> Yes, authentication goes through the domain server(s), which either
> provide-a-token-for or are-queuried-by other network resources when a
> user requests access to those resources.  But I'm 99% certain that the
> smbpasswd file is still necessary on your Samba server if you are using
> encrypted passwords (which most people do.)
> 
> > So, as far as I can see the smbpasswd file just sits there to provide a
> > mechanism of mapping SMB user account into regular UNIX ones, which could be
> > fixed by means of 'users map' or 'valid users' directives.
> Do you mean 'username map'?  'username map' will map client login
> accounts to unix accounts.  If you do not use smbpasswd (which also
> means you are not using encrypted passwords), Samba will attempt to
> authenticate the client login against the unix accounts, and may need
> help to do so if they don't match precisely.
> And 'valid users' simply restricts access to the users listed.
> Otherwise, all users would be granted access.
> I don't know that these replace smbpasswd.  I don't think I'd classify
> the smbpasswd file as a mapping mechanism to unix accounts.  They seem
> to be two different animals, although they can be synchronized.
> 
> >
> > Well, here comes the question, is it correct what I´ve just written??? I
> > would like to be 100% sure, because reading the documentation has confused
> > me a bit more about this issue (I´m not complaining, honest).
> Hope I didn't add to the confusion.  The best resources I've had for
> Samba are "SAMS Teach Yourself Samba in 24 Hours" and O'Reilly's "Using
> Samba", and they help considerably.
> >
> > So if someone could give me a hand on this I´ll be thankful.
> >
> > Thanks, Gabriel.

More information about the samba-ntdom mailing list