[Samba] winbind name service required for active directory (ADS)
authentication and group-based authorization?
Luke Mewburn
lukem-samba at mewburn.net
Fri Oct 29 23:16:13 GMT 2004
On Fri, Oct 29, 2004 at 09:16:02AM -0700, DeStefano, Paul wrote:
| Solution: ADS, perhaps?
|
| I've read lots of documents and they seem to indicated
| that, when using ADS authentication (by which I mean
| security=ADS and the proper relm, etc.) winbind is NOT
| involved in the authentication process. It says smbd
| participates in Kerberos ticketing, like a normal "Domain
| Member", to authorize samba clients. (Details found here:
| http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-me
| mber.html) I think means it gets the client user authorization
| directly from ADS; winbind is not involved.
|
| Well, if that's true, then samba has everything it needs to
| authorize clients by group membership, not just authenticate users,
| without consulting winbind. The Kerberos ticket that it receives
| during authentication includes all sorts of information about the
| user...including the users group memberships. Is that right?
|
| This isn't particular to ADS, I suppose, now that I think about it;
| probably the same as before ADS. But, I couldn't find any examples
| of samba using windows authentication without winbind.
|
| You're probably wondering what is going to happen after
| authentication and authorization without winbind to map users to
| UNIX UIDs. Me too. That's my follow up question. I hope that samba
| can use the unqualified username (without the 'DOMAIN\' prefix)
| to find a match using the normal resolution so that we can just
| populate /etc/passwd. Think that will work? Actually, we intend to
| use "force user =", as in the past, so it really doesn't matter what
| happens with the UID mappings, but samba might not be that clever.
| It may insist on successfully resolving usernames before checking
| options like "force user".
If you have a mapping in the passwd(5) file between the username
(without 'DOMAIN\' prefix) and a UID, things should work without
needing "winbind" in nsswitch.conf; the user's password is
checked against ADS and the passwd(5) entry is used to provide a UID.
If there is not a matching entry in passwd(5) for the ADS user,
they will not be able to connect.
Cheers,
Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20041030/cfff21d7/attachment.bin
More information about the samba
mailing list