[Samba] DOMAIN level security with smbpasswd???

Mitchell, Andy Andy.Mitchell at delta.com
Tue May 6 13:35:42 GMT 2003

If you have set a WINS server, the following security setup should give you your 'ideal' scenario: NT domain authentication to a PDC with the ability to use a username map for cross platform account name mapping. Mapping to a generic (guest) account will happen automatically if you do not use 'guest ok = yes' (that may be the default, I don't know - we don't allow it)

        security          = DOMAIN
        password server   = *
        encrypt passwords = yes

Make sure your Samba server has been joined to the domain as a machine account.

I don't know the answer the first part (why an additional password file is used). I was never sure why the standard library routines like getpwent(), etc. weren't used. I'm sure there's a good reason.

Hope that helps.

Cheers - Andy

-----Original Message-----
From: Jeremy Nix [mailto:Jeremy.Nix at sfsltd.com]
Sent: Tuesday, May 06, 2003 9:24 AM
To: samba at lists.samba.org
Subject: [Samba] DOMAIN level security with smbpasswd???

I'm a bit confused on several points of the security infrastructure of
Samba.  First, and simplest, why (and is it necessary) do we need to
keep a smbpasswd file when the Linux/Unix passwd file could be suffice?
I like the idea of mapping particular users to a given UNIX account via
the username map option, but I see no reason in specifying a separate
password file for these same UNIX users.

Secondly, and more to the point, why (again, and is it necessary) do we
need this smbpasswd file if we are authenticating against a domain?

Ideally, I'd like to be able to authenticate against the NT domain, and
then map users to particular accounts.  Users who are not mapped to a
given account will be mapped to a generic guest account with security
tightened and access limited if even available.

Jeremy Nix
Senior Application Developer
Southwest Financial Ltd.
Jeremy.Nix at sfsltd.com
(513) 621-6699 ext 1158

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list