[Samba] question about ADS sync

Matt mpayton at hunterdonhealth.com
Mon Nov 3 22:51:08 GMT 2003 

>
> Hi,
>
> I have a question about Samba's capability. I couldn't find answer from
> web searches so want to try it here.
>
> We use samba as file server in a mixed mode w2k active directory domain.
> The problem is that each time a user changes his/her windows password,
> admins have to update samba password manually. We want to avoid this, and
> want Samba to automatically sync the user password with the directory
> server.
>
> I checked winbind, but it seems to give all domain users access to the
> samba server. We would like to limit the samba account to only a few
> selected windows users. We want them to deal only with the windows account
> without having to ask admins to update the smbpasswd.
>
>>From web searches, there's no clear picture of what the possibilities
>> are.
> It appears if I use 'encrypt passwords' option, I have to keep a local
> copy of smbpasswd, and automatic sync is impossible. (We don't want to use
> plaintext passwords.)
>
> My question is, does anyone know a way to let Samba do automatic sync with
> windows passwords?
>

Another alternative...
- set up as security = domain.
- Then add the samba machine to your domain/AD via smbpasswd ( or net if
using 3.x )...This creates a machine account in AD for your machine.

- Next...You still need Unix accounts on the box that match your NT/2000
logins...The username has to match, not the password.  Or you can use
entries in username map option.  Set up as needed.

- Use file permissions and Unix groups to control access to resorces, just
like always.

- Configure shares to grant access based on Unix login/group membership as
before.

This way, there's no need for an smbpasswd file.  As long as the user
authenticates against the domain, Samba will grant access ( based on share
config/file permissions).  It never looks for a password, just if the user
is authenticated to the domain, and if the user should be granted access
to the resource.
This works in 2.2.x as well as 3.x

AFAIK, windbind is more for not needing to manually create the Unix users
in the first place.  Well, that's a generalized statement...There's more
to windbind than that....

But it does sound like security = domain is what you need....Works here.


-- 
- Matt -

More information about the samba mailing list