[Samba] w2k, kerberos and folder redirection

Donald Saltarelli djs at uci.edu
Wed Sep 25 00:01:01 GMT 2002 

Hello-

i have a difficult problem and need to solve it (hopefully) before next
week when classes start over here. i looked around the lists and
couldn't find anything similar to what we're doing. perhaps you can
help.

our plan in the school of engineering is to let users authenticate with
their uci.edu accounts to our school systems on solaris and win2k. we're
using pam_krb5 + nis and we're creating accounts with the same names in
nis and AD. in AD the accounts have the name mapping setup so that when
the user logs in to the win2k workstation, they get their domain
credentials for the AD domain account (hssoe.uci.edu). the password of
the win2k domain account is random and unknown to the user. (this is
like MIT)

we want to map the user's unix home dir to the U: drive on the win2k
workstations at logon and have samba authenticate off the AD PDC without
prompting them for their password. we'd also like to use Group Policy to
redirect their My Documents, Desktop and Application Data folders to
their home dir\$var (afaik, when redirected automatically via GPO,
there's no way for the system to prompt the user for a password). this
whole setup worked fine with 'security = server' when the kerberos
password and the AD password where the same. 

well, we thought, maybe the samba server has to be a member of the
domain to understand the credentials the workstation is presenting when
trying to map \\sambaserver\%username%. so we added the samba server to
the domain, but that didn't help. 

the next possible solution was to setup samba with 'security = user',
'encrypt passwords = no' and enable clear-text passwords on the
workstations. that seems to still prompt the user for the password. 

how can we solve this? shouldn't the samba server in 'security = server'
or 'security = domain' be able to use the credentials obtained by the
workstation from the AD/PDC at logon? do we need something special in
the protocol level? what am i missing here?

thanks,

Donald Saltarelli
The Henry Samueli School of Engineering

More information about the samba mailing list