[Samba] winbind name service required for active directory (ADS) authentication and group-based authorization?

Luke Mewburn lukem-samba at mewburn.net
Fri Oct 29 23:16:13 GMT 2004


On Fri, Oct 29, 2004 at 09:16:02AM -0700, DeStefano, Paul wrote:
  | Solution: ADS, perhaps?
  |
  | I've read lots of documents and they seem to indicated
  | that, when using ADS authentication (by which I mean
  | security=ADS and the proper relm, etc.) winbind is NOT
  | involved in the authentication process. It says smbd
  | participates in Kerberos ticketing, like a normal "Domain
  | Member", to authorize samba clients. (Details found here:
  | http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-me
  | mber.html) I think means it gets the client user authorization
  | directly from ADS; winbind is not involved.
  |
  | Well, if that's true, then samba has everything it needs to
  | authorize clients by group membership, not just authenticate users,
  | without consulting winbind. The Kerberos ticket that it receives
  | during authentication includes all sorts of information about the
  | user...including the users group memberships. Is that right?
  |
  | This isn't particular to ADS, I suppose, now that I think about it;
  | probably the same as before ADS. But, I couldn't find any examples
  | of samba using windows authentication without winbind.
  |
  | You're probably wondering what is going to happen after
  | authentication and authorization without winbind to map users to
  | UNIX UIDs. Me too. That's my follow up question. I hope that samba
  | can use the unqualified username (without the 'DOMAIN\' prefix)
  | to find a match using the normal resolution so that we can just
  | populate /etc/passwd. Think that will work? Actually, we intend to
  | use "force user =", as in the past, so it really doesn't matter what
  | happens with the UID mappings, but samba might not be that clever.
  | It may insist on successfully resolving usernames before checking
  | options like "force user".

If you have a mapping in the passwd(5) file between the username
(without 'DOMAIN\' prefix) and a UID, things should work without
needing "winbind" in nsswitch.conf; the user's password is
checked against ADS and the passwd(5) entry is used to provide a UID.

If there is not a matching entry in passwd(5) for the ADS user,
they will not be able to connect.

Cheers,
Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20041030/cfff21d7/attachment.bin


More information about the samba mailing list