[Samba] use password server= when security=ADS or not???
Alex de Vaal
AVaal at nh-hotels.nl
Wed Jun 9 12:33:21 GMT 2004
Dear list,
Im using samba 3.0.4 on a RHL9 server as domain member in a W2k3 ADS (native)
environment.
The shares on the Samba server are used by XP clients and these clients get the
shares via scripting while they logon on the ADS.
In the ADS domain there are several ADS servers (on remote locations, connected
via routers) that have the same global catalog. This means that an XP client that
logon on the ADS will get a response from the fastest server on the network. The
XP clients and the Samba domain member are on remote locations and connected
to the ADS environment via routers too.
The smb.conf file that I use on the Samba domain members doesnt contain the
password server statement; this means that samba handles as follows about
password server according to the man pages:
If the password server option is set to the character '*' (is the same as no password
server), then Samba will attempt to auto-locate the Primary or Backup Domain
controllers to authenticate against by doing a query for the name
WORKGROUP<1C> and then contacting each server returned in the list of IP
addresses from the name resolution source. This means that Samba uses the old
NETBIOS name and this is not in our DNS and a broadcast is not allowed on our
routers!
In the man page of samba also reside about password server the following:
The advantage of using security = domain is that if you list several hosts in the
password server option then smbd will try each in turn till it finds one that responds.
This is useful in case your primary server goes down.
Does this also work, when security = ADS? Id like that the samba domain server
tries to contact each password server in the list till it finds one that responds.
Can you tell me what is preferable? I use Samba 3.0.4 on RHL9 compiled with MIT
1.3.1-7 kerberos and CUPS, Kerberos and winbind is used for authentication against
the ADS server.
Here is my smb.conf file (only the global section):
[global]
workgroup = XXXX
realm = XXXX.COM
server string = %h server (Samba %v)
security = ADS
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@XXXX.COM\Domain Admins',
@XXXX.COM\DEP_ADMIN_GERMANY
oplocks = No
level2 oplocks = No
Regards,
Alex.
More information about the samba
mailing list