Linux ADS authentication in AD environment

[John H Terpstra]

On Mon, 23 Feb 2004, Anderson, Brandie wrote:

> Hi,
>
> I am a subscriber to this list and have probably just missed this.
> Someone on our campus wants to put up a Samba 3 server for Linux ADS
> integration - I have some issues, but not many. One of my subordinates
> sent this as a reason we should deny the request and I am not sure he is
> completely up on everything ya'll are doing. Could you tell me if he is
> correct?

Samba-3 integrates well into ADS as an AD Domain Member server. You run
winbind on the Samba member server. Winbind creates the necessary mappings
from ADS Account SIDs to UNIX UID/GID pairs.

Samba does NOT need to create account entries in /etc/passwd and
/etc/group.

You do NOT use smb_pam to do any of the access handling.

I recommend reference to the Samba-HOWTO-Collection.pdf available from
http://www.samba.org/docs/Samba-HOWTO-Collection.pdf

Refer to chapters 7 and 21.

The Samba-HOWTO-Collection.pdf is also available from Amazon.Com as "The
Official Samba-3 HOWTO and Reference Guide".


Additionally, in my new book, "Samba-3 by Example" an entire chapter is
dedicated to the process of adding Domain Member clients and servers with
full step-by-step explanation of every configuration requirement.

Cheers,
John T.

>
> "This is possible to do yet not advisable. It requires extensive
> management and do to the methods of implementing this it is very taxing
> on the system itself. We have found it to be an issue when smbbrowsing
> occurs. If your not familiar with smb_acls you run the risk of
> automatically creating up to 80K user objects in /etc/password
> /etc/groups /etc/shadow. Everyone who has the ability to send an smb
> request to the server is able to " Browse " and with the way the smb_pam
> works it will create a local account."
>
>
>
> Many thanks,
>
> Brandie Anderson, MCSE, CAN
>
> Information Security Officer
>

-- 
John H Terpstra
Email: jht at samba.org