[Samba] Samba & Win2k AD domain membership

Rodre Ghorashi-Zadeh rodre at conduitcorp.net
Mon May 9 16:35:55 GMT 2005


Thanks for your response. So if I understand this correctly, the Kerberos
authenticates the client for access to the share, but the smbusers file maps
Windows accounts to UNIX accounts for file system access on the Samba
server? Also, if I use the "force user =x" parameter on the share would I
still be able to have the Windows "Domain Admins" group perform
Read/Write/Delete operations on the share, and the "Domain Users" group
perform only Read operations? If so, could you please provide a smb.conf
example? Thanks again.

~ Rodre

-----Original Message-----
From: Gordon Hopper [mailto:g.hopper at computer.org] 
Sent: Sunday, May 08, 2005 11:08 PM
To: Rodre Ghorashi-Zadeh
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba & Win2k AD domain membership

No, you don't need to run winbind (provided that all of your Samba users
already have unix accounts, or you list them in your smbusers file).  I
use Samba+Kerberos (with Active Directory) without running winbind.  I
didn't modify my pam settings because I'm using Kerberos only for Samba.

Note that, in this scenario, my AD users cannot log in to the box (with
e.g. telnet).  Also, I map the file permissions with "force user = x",
since the users don't have a read uid on the box.  (Also, I can't access
AD groups without winbind...  There are some downsides, but Samba does
work without it.)


Gordon Hopper

On Sat, 2005-05-07 at 13:17 -0700, Rodre Ghorashi-Zadeh wrote:
> Hello,
> I am trying to setup my samba server version 3.0.10-1.fc3 as a Win2k
> Member. What I need to know is once I have ADS security and Kerberos
> working, do I still need to use winbind or ldap for client authentication
> will Kerberos take care of it?
> Rodre Ghorashi-Zadeh
> Chief Systems Engineer
> Conduit Technical Environments Corporation
> 604.785.4888

More information about the samba mailing list