[Samba] Samba & Win2k AD domain membership

Rodre Ghorashi-Zadeh rodre at conduitcorp.net
Tue May 10 16:16:46 GMT 2005

Hi Gordon,

The reason I didn't want to run winbind is because I don't want to run my AD
server in compatability mode, which I believe is required for windbind to be
able to use a "CID" to query the users and groups stored in the AD.  Maybe I
am wrong?

~ Rodre

-----Original Message-----
From: Gordon Hopper [mailto:g.hopper at computer.org] 
Sent: Monday, May 09, 2005 3:39 PM
To: Rodre Ghorashi-Zadeh
Subject: RE: [Samba] Samba & Win2k AD domain membership

No, you need winbind to use domain groups.  

Kerberos (as it is used by Samba) validates the password.  If you're not
using winbind, then Samba uses /etc/passwd and /etc/group for the
username to user id (uid) mapping.  If you choose to list all of your
Domain Admin users in /etc/passwd and /etc/group, then it will work
without winbind.  (However, you will be unable to manage the group list
with Active Directory tools, obviously.)

You might want to read this paragraph on the Name Service Switch (NSS)
Collection/winbind.html#id2596800 .  You can think of winbind as
magically extending the /etc/passwd and /etc/group files, the same way
that NIS or other unix domain services do.  (But not /etc/shadow.
Authentication is handled separately via PAM.)

Hmm.. anyway, I'm not sure you need to understand all this to get it
working.  (I'm not sure I understand it all ;).  It sounds like you DO
want to run winbind, at least in /etc/nsswitch.conf.

Is there a reason you don't want to run winbind?  For example, do you
want to prevent users from telnetting to the box? (that should be the
default, unless you modify /etc/pam.d/login).  I'm not running it simply
because I ran out of time on the project, and the things we needed
worked ok without it.


On Mon, 2005-05-09 at 09:35 -0700, Rodre Ghorashi-Zadeh wrote:
> Hello,
> Thanks for your response. So if I understand this correctly, the Kerberos
> authenticates the client for access to the share, but the smbusers file
> Windows accounts to UNIX accounts for file system access on the Samba
> server? Also, if I use the "force user =x" parameter on the share would I
> still be able to have the Windows "Domain Admins" group perform
> Read/Write/Delete operations on the share, and the "Domain Users" group
> perform only Read operations? If so, could you please provide a smb.conf
> example? Thanks again.
> ~ Rodre
> -----Original Message-----
> From: Gordon Hopper [mailto:g.hopper at computer.org] 
> Sent: Sunday, May 08, 2005 11:08 PM
> To: Rodre Ghorashi-Zadeh
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba & Win2k AD domain membership
> No, you don't need to run winbind (provided that all of your Samba users
> already have unix accounts, or you list them in your smbusers file).  I
> use Samba+Kerberos (with Active Directory) without running winbind.  I
> didn't modify my pam settings because I'm using Kerberos only for Samba.
> Note that, in this scenario, my AD users cannot log in to the box (with
> e.g. telnet).  Also, I map the file permissions with "force user = x",
> since the users don't have a read uid on the box.  (Also, I can't access
> AD groups without winbind...  There are some downsides, but Samba does
> work without it.)
> Regards,
> Gordon Hopper
> On Sat, 2005-05-07 at 13:17 -0700, Rodre Ghorashi-Zadeh wrote:
> > Hello,
> > 
> > I am trying to setup my samba server version 3.0.10-1.fc3 as a Win2k
> Domain
> > Member. What I need to know is once I have ADS security and Kerberos
> > working, do I still need to use winbind or ldap for client
> or
> > will Kerberos take care of it?
> > 
> >  
> > 
> > Rodre Ghorashi-Zadeh
> > 
> > Chief Systems Engineer
> > 
> > Conduit Technical Environments Corporation
> > 
> > 604.785.4888

More information about the samba mailing list