[Samba] Re: Accessing Samba Shares with AD usernames

[Lars Wiberg]

Yet another update - I'm learning :-) I hope you will take the time to read
it.

Please forgive the confusion / my ignorance. I haven't been using Samba
since 1998. Taking the time to read the documentation (which has exploded in
size since my last taste of Samba) chapter by chapter really helps a lot.
With the excellent input from John and Tom, I have come to understand that
Winbind seems to be the solution I am looking for.

To further describe the project I'm working on (which I find very exciting),
I will give a (brief?) project description here:

The actual case I am working on involves something in the area of 130
locations. A Samba server for each location is what we are considering. The
demand is that there is a transparent integration between Linux and an
Active Directory on a Windows 2000 Server, making the added Samba server
'invisible' to the user. The Samba server must not require extra user
accounts, no extra administration - In other words, no extra chores for me
as an administrator of the network once they have been set up. The Samba
server is to function as a fileserver with user shares and common shares for
the location. Access to these shares must be centralised, avoiding per
server administration. Even the smallest degree maintenance and
administration on each server will obviously render many extra work hours.

The core concern for me is user maintenance and administration, but this
seems to be solved with Winbind since it can tap into the AD to get user
credentials from there. That eliminates maintenance of more userbases, and
that takes a great load off.

All usernames in the AD is created in this format: locationprefix.username
(example: ags.hdj) and are all on the same domain: xxx.yyy.local ... Will
this be a problem? Will the username delimited with a '.' be considered
invalid by Winbind or Samba? This may be irrelevant since we are not talking
about Unix accounts anymore, but none the less, I would like to know if
Samba makes any kinds of checks before it passes anything on to Winbind. If
this doesn't make any sense, don't worry, I will of course test it.

All users are arranged in Global Security Groups (GSG) in the format
GRP<locationprefix>USER (example: GRPAGSUSER). I would like to give each
user access to their own home share, and the whole group access to the
common share using the GSG. This will involve some scripting to automate
that process.

Am I missing some angles here, or can you follow me in what I am trying to
achieve?

I am going to tinker with Samba-3 at home this weekend, and hopefully
Winbind as well to gain more knowledge and be able to ask even more
qualified questions in the following week :-)

So far, thank you for all your input. This is a large project, and if I can
make this plan work, I appreciate all the help you guys will give me.

John Terpstra: About the documentation, I will read more into it and give
you some input about whether or not it is confusing. My first posts were the
result of a: "Can this be done, find out and let me know in a couple of
hours!" from my boss, after which I bolted to the Samba-3 documentation and
skimmed it very rapidly, with a poor result.

Have a great weekend everybody.

-- 
Lars Wiberg