[Samba] w2k, kerberos and folder redirection

Andrew Bartlett abartlet at samba.org
Wed Sep 25 00:11:00 GMT 2002 

Donald Saltarelli wrote:
> 
> Hello-
> 
> i have a difficult problem and need to solve it (hopefully) before next
> week when classes start over here. i looked around the lists and
> couldn't find anything similar to what we're doing. perhaps you can
> help.
> 
> our plan in the school of engineering is to let users authenticate with
> their uci.edu accounts to our school systems on solaris and win2k. we're
> using pam_krb5 + nis and we're creating accounts with the same names in
> nis and AD. in AD the accounts have the name mapping setup so that when
> the user logs in to the win2k workstation, they get their domain
> credentials for the AD domain account (hssoe.uci.edu). the password of
> the win2k domain account is random and unknown to the user. (this is
> like MIT)
> 
> we want to map the user's unix home dir to the U: drive on the win2k
> workstations at logon and have samba authenticate off the AD PDC without
> prompting them for their password. we'd also like to use Group Policy to
> redirect their My Documents, Desktop and Application Data folders to
> their home dir\$var (afaik, when redirected automatically via GPO,
> there's no way for the system to prompt the user for a password). this
> whole setup worked fine with 'security = server' when the kerberos
> password and the AD password where the same.
> 
> well, we thought, maybe the samba server has to be a member of the
> domain to understand the credentials the workstation is presenting when
> trying to map \\sambaserver\%username%. so we added the samba server to
> the domain, but that didn't help.

If you were not doing anything to silly, this this is all you should
need to do. Join the samba server to the domain, and let is check the
incoming encrypted passwords with the Win2k DC. 

> the next possible solution was to setup samba with 'security = user',
> 'encrypt passwords = no' and enable clear-text passwords on the
> workstations. that seems to still prompt the user for the password.
> 
> how can we solve this? shouldn't the samba server in 'security = server'
> or 'security = domain' be able to use the credentials obtained by the
> workstation from the AD/PDC at logon? do we need something special in
> the protocol level? what am i missing here?

If the game is AD, and kerberos intergration, then I suggest you grab
Samba 3.0, and work from there.  On login, do the users have a valid
kerberos ticket - preferably to the AD domain?  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list