[Samba] winbind: authenticating UNIX user before Win Domain user
greg.chavez at gmail.com
Wed Nov 17 20:48:06 GMT 2004
We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain
member (security = domain) to a win2k pdc (clouds) for the domain DOM.
We have several unix users and two Win-only users. The unix users
have matching AD accounts on the win2k, but the Win-only users do not
have unix accounts (and we want to keep it that way). So, it seemed
that winbind would be the best way to bridge the gap:
1. UNIX users could access shares on the samba server in the same way
whether logged on to windows workstation or the samba server itself
2. Files created on the shares would be controlled via permissions
for UNIX users and groups.
3. Win users would not need to have UNIX accounts created, but could
access the samba shares as easily as the UNIX users.
4. Home directories and profiles will be pulled from the samba server.
It works well exept that winbind does not authenticate the UNIX users
as expected when they logon from Windows. For example: from Windows
workstation, I log on as "gchavez". There is a UNIX user on the samba
server "gchavez" which I expect winbind to authenticate against when I
try to access the samba shares. This does not happen. Instead,
winbind authenticates against the win2k server with my Win account,
DOM+gchavez, and things don't work (although it does manage to map my
home directory correctly).
Consequently, I come in with Windows group permissions (DOM+Domain
Users) and cannot access the shares protected with UNIX group
permissions. I am trying to keep this message short, but these
command line vitals should tell the rest of the story.
shell> tesparm -sv
workgroup = DOM
security = DOMAIN
passdb backend = tdbsam
username map = /etc/samba/smbusers
log level = 2
client use spnego = No
preferred master = No
local master = No
domain master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
valid users = +users, "DOM+Domain Users"
force group = +users
read only = No
create mask = 0660
directory mask = 01770
comment = "DOM Home Directories"
path = /usera/home/%U/winhome
create mask = 0600
directory mask = 0740
browseable = No
comment = "Product Documentation - full access"
path = /usera/docs
comment = "Shared Programs - full access"
path = /usera/programs
comment = "Backups"
path = /usera/backups
comment = "Project Files - full access"
path = /usera/projects
comment = "PSC Project - restricted"
path = /usera/projects/psc
valid users = +psc
force group = +psc
shell> getent passwd | grep gchavez
** this happens when I try to access my homes share from windows, the
shares are chmod'd with full permission so I can get in ***
shell> tail /var/log/samba/smb.log
[2004/11/17 15:09:12, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [gchavez] -> [gchavez]
-> [DOM+gchavez] succeeded
[2004/11/17 15:09:14, 2] smbd/uid.c:change_to_user(202)
change_to_user: SMB user (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2004/11/17 15:09:14, 0] smbd/service.c:make_connection_snum(570)
Can't become connected user!
[2004/11/17 15:09:14, 1] smbd/service.c:make_connection_snum(648)
sunfish (xx.93.106.16) connect to service gchavez initially as user
DOM+gchavez (uid=10007, gid=10000) (pid 3312)
# net groupmap list | grep users
Domain Users (S-1-5-21-1316288518-2476102628-626236970-513) -> users
# grep winbind /etc/nsswitch.conf
passwd: files winbind
group: files winbind
More information about the samba