[Samba] winbind name service required for active directory (ADS)
authentication and group-based authorization?
Paul.DeStefano at nwdc.net
Fri Oct 29 16:16:02 GMT 2004
Hello Samba Gurus,
Is using the winbind name service required in order to get authentication AND authorization via ADS? I'll explain further.
Goal: create samba share for which clients are authenticated via native ADS and access is based on ADS group membership.
I've actually done this in the old Windows NT world. Worked okay. It's wasn't too hard, except for the winbind piece (see problem below.) But, now, I question the necessity of winbind in the case that samba uses ADS authentication.
Problem: On Solaris 8, passwd binary will not accept 'winbind' in /etc/nsswitch.conf. (I've been over this many times. In the past, we wrote an interposer lib for the fopen() call, which I posted, and pre-loaded it on smbd, but libnss has been changed since then and it doesn't work any more...long story.)
Solution: ADS, perhaps?
I've read lots of documents and they seem to indicated that, when using ADS authentication (by which I mean security=ADS and the proper relm, etc.) winbind is NOT involved in the authentication process. It says smbd participates in Kerberos ticketing, like a normal "Domain Member", to authorize samba clients. (Details found here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html) I think means it gets the client user authorization directly from ADS; winbind is not involved.
Well, if that's true, then samba has everything it needs to authorize clients by group membership, not just authenticate users, without consulting winbind. The Kerberos ticket that it receives during authentication includes all sorts of information about the user...including the users group memberships. Is that right?
This isn't particular to ADS, I suppose, now that I think about it; probably the same as before ADS. But, I couldn't find any examples of samba using windows authentication without winbind.
You're probably wondering what is going to happen after authentication and authorization without winbind to map users to UNIX UIDs. Me too. That's my follow up question. I hope that samba can use the unqualified username (without the 'DOMAIN\' prefix) to find a match using the normal resolution so that we can just populate /etc/passwd. Think that will work? Actually, we intend to use "force user =", as in the past, so it really doesn't matter what happens with the UID mappings, but samba might not be that clever. It may insist on successfully resolving usernames before checking options like "force user".
I hope that made sense. It only took me slightly longer to compose this message than to compile samba with krb-auth and test it myself, so I hope someone out there has some insights. To be honest, I did try it, but I'm not sure I compiled it all correctly. It wasn't clear from the errors what was the actual problem. And, I couldn't get it to work *with* winbind, either, so that's why I'm posting.
More information about the samba