[Samba] Re: Accessing Samba Shares with AD usernames

John H Terpstra jht at samba.org
Thu Sep 11 16:59:41 GMT 2003

On Thu, 11 Sep 2003, Lars Wiberg wrote:

> To follow up on this, I have been studying the documentation more
> intensively yesterday evening, and have concluded that the current release
> of Samba cannot do what I am trying to achieve.
> What I forgot to mention yesterday, was that there is to be no unix accounts
> on the Samba server, meaning the only user administration involved is from
> the Active Directory (AD), but after doing a more thorough studying of the
> documentation, this paragraph came up:

That's what I understood from your request.

> "In the course of development of Samba-3, a number of requests were received
> to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3
> without the need to provide matching UNIX/Linux accounts. We called this the
> Non UNIX Accounts (NUA) capability. The intent was that an administrator
> could decide to use the tdbsam backend and by simply specifying passdb
> backend = tdbsam_nua this would allow Samba-3 to implement a solution that
> did not use UNIX accounts per se. Late in the development cycle, the team
> doing this work hit upon some obstacles that prevents this solution from
> being used. Given the delays with Samba-3 release a decision was made to NOT
> deliver this functionality until a better method of recognising NT Group
> SIDs from NT User SIDs could be found. This feature may thus return during
> the life cycle for the Samba-3 series."
> If I understand that paragraph correctly, it is currently not possible to
> authenticate users on a Samba server solely from an Active Directory. The
> only possible way is to create unix accounts on the Samba server - which
> means more user administration.

No. You are confused it seems.

The paragraph you quoted is in respect of Samba being a domain controller
or a stand-alone server - NOT - as a domain member.

You need to make your Samba server a domain member. If you have Active
Directory, you need to configure for "security = ads" as discussed in the
"Domain Membership" chapter of the HOWTO.

When a machine is a domain member, you do NOT need any local /etc/passwd
accounts. Instead, you can use winbind to provide locally mapped users and
groups - all from Active Directory.

Your questions regarding access to shares is simply answered:
	1. You CAN set AD User and Group ACLs on Shares
	2. You can control file system permissions from an
		administratively enabled Windows login using
		Windows Explorer.
	3. You can set additional access restrictions that use
		AD Users and Groups in the share specification
	4. If your UNIX file system has support for POSIX ACLs
		you can from a Windows NT/2Kx/XP Windows
		Explorer set ACLs on files and directories.

So what have we written that is confusing or not clear to you?
Please help us to correct the documentation before Samba-3 ships.

> Thank you all, for your input.
> Can anybody from the Samba team tell me how far into the horizon I have to
> look for this feature? From the documentation, it seems to me that a lot of
> work has gone into this already.

What is missing that you need?

Either you want Samba as a Domain Controller with non-UNIX account or you
don't? Which is it? IF you are running Active Directory then the paragraph
you have quoted is  not relevant to you.

IF you want to set ACLs (Access Control Lists) on shares, folders
(directories) or files and the chapter I referred you to is not clear
please help us to get the documentation cleaned up. What suggestions do
you have that would help you and others to find the answers they are
looking for? I am totally lost, what must I do to fix this?

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list