[Samba] Re: Accessing Samba Shares with AD usernames

Lars Wiberg lw at c.dk
Thu Sep 11 08:22:30 GMT 2003

To follow up on this, I have been studying the documentation more
intensively yesterday evening, and have concluded that the current release
of Samba cannot do what I am trying to achieve.

What I forgot to mention yesterday, was that there is to be no unix accounts
on the Samba server, meaning the only user administration involved is from
the Active Directory (AD), but after doing a more thorough studying of the
documentation, this paragraph came up:

"In the course of development of Samba-3, a number of requests were received
to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3
without the need to provide matching UNIX/Linux accounts. We called this the
Non UNIX Accounts (NUA) capability. The intent was that an administrator
could decide to use the tdbsam backend and by simply specifying passdb
backend = tdbsam_nua this would allow Samba-3 to implement a solution that
did not use UNIX accounts per se. Late in the development cycle, the team
doing this work hit upon some obstacles that prevents this solution from
being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group
SIDs from NT User SIDs could be found. This feature may thus return during
the life cycle for the Samba-3 series."

If I understand that paragraph correctly, it is currently not possible to
authenticate users on a Samba server solely from an Active Directory. The
only possible way is to create unix accounts on the Samba server - which
means more user administration.

Thank you all, for your input.

Can anybody from the Samba team tell me how far into the horizon I have to
look for this feature? From the documentation, it seems to me that a lot of
work has gone into this already.

Lars Wiberg

"Lars Wiberg" <lw at c.dk> skrev i en meddelelse
news:bjn10s$jp8$1 at sea.gmane.org...
> I'm sorry if this post came through already ...
> Hi,
> I'm working on a project where the plan is to place a number of Samba
> servers on different locations as file and print servers. The samba server
> is supposed to be a part of the AD, which is easily done, but the samba
> servers are to contain a number of shares that only people with a valid
> logon on the AD will be able to access.
> How can this be achieved? Do I have to promote each Samba server to becoma
> Domain Controller and create a trust between the DC and the Samba DC? I'm
> hoping there is a way to make Samba check the login on the DC and based on
> that give access to the share.
> I hope I am being clear enough.
> In short: An AD user wishes to access a Samba share, but needs to be
> authenticated somehow.
> I hope you can help me out.
> -- 
> Lars Wiberg
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list