[Samba] Machine trust account confusion
JB
jbarton at technicalworks.net
Tue Apr 20 16:14:28 GMT 2004
I have looked for an answer to this in many locations, but I am still
confused about the use of machine trust accounts. It was my
understanding, backed by a samba book, that in order for someone in a
domain to access a resource, they must have a valid account on the
domain AND be using a machine that has a trust account setup on the
samba PDC. However, my experience and another samba book say that they
only need a valid user account to use the resources.
The result is that I have a samba PDC setup with a single workstation
that authenticates users off the PDC and everyone has proper access.
However, I can place a laptop on the network with no trust account, and
using since I log onto it with the same username and password, I can
browse the domain resources as if I had authenticated off of the PDC.
I am hoping someone can explain this to me, I want to deploy a samba PDC
in a larger environment, but I do not want a user to be able to see
private resources just by knowing someone's username and pass, I want
them to have to come from a trusted machine also.
Here is my smb.conf
[global]
netbios name = HERAKLES
workgroup = STS
server string = Samba Server %v
security = user
encrypt passwords = yes
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/private/smbpasswd
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
local master = yes
os level = 65
preferred master = yes
domain master = yes
domain logons = yes
logon script = logon.bat
time server = yes
wins support = yes
interfaces = eth1
hosts allow = 192.168.10.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log level = 3
log file = /var/log/samba/log.%m
[netlogon]
path = /export/samba/netlogon
writable = no
browsable = no
[Shared Business Docs]
copy = template
path = /export/samba/shareddocs
comment = Shared Business Documents
writable = yes
Regards,
-John
jbarton at technicalworks.net
More information about the samba
mailing list