Linux ADS authentication in AD environment
John H Terpstra
jht at samba.org
Tue Feb 24 03:54:02 GMT 2004
On Mon, 23 Feb 2004, Anderson, Brandie wrote:
> I am a subscriber to this list and have probably just missed this.
> Someone on our campus wants to put up a Samba 3 server for Linux ADS
> integration - I have some issues, but not many. One of my subordinates
> sent this as a reason we should deny the request and I am not sure he is
> completely up on everything ya'll are doing. Could you tell me if he is
Samba-3 integrates well into ADS as an AD Domain Member server. You run
winbind on the Samba member server. Winbind creates the necessary mappings
from ADS Account SIDs to UNIX UID/GID pairs.
Samba does NOT need to create account entries in /etc/passwd and
You do NOT use smb_pam to do any of the access handling.
I recommend reference to the Samba-HOWTO-Collection.pdf available from
Refer to chapters 7 and 21.
The Samba-HOWTO-Collection.pdf is also available from Amazon.Com as "The
Official Samba-3 HOWTO and Reference Guide".
Additionally, in my new book, "Samba-3 by Example" an entire chapter is
dedicated to the process of adding Domain Member clients and servers with
full step-by-step explanation of every configuration requirement.
> "This is possible to do yet not advisable. It requires extensive
> management and do to the methods of implementing this it is very taxing
> on the system itself. We have found it to be an issue when smbbrowsing
> occurs. If your not familiar with smb_acls you run the risk of
> automatically creating up to 80K user objects in /etc/password
> /etc/groups /etc/shadow. Everyone who has the ability to send an smb
> request to the server is able to " Browse " and with the way the smb_pam
> works it will create a local account."
> Many thanks,
> Brandie Anderson, MCSE, CAN
> Information Security Officer
John H Terpstra
Email: jht at samba.org
More information about the samba-technical