[Samba] Unnecessary smbpasswd
Jeremy Allison
jra at samba.org
Thu Sep 29 18:43:24 GMT 2005
On Thu, Sep 29, 2005 at 12:30:35PM -0600, Ric Tibbetts wrote:
> If I understand the process correctly:
>
> User on Windows XP box makes a request to the Samba server.
> The windows box passes the username/password pair to the Samba server.
> The Samba server checks that the user exists on the unix box, and
> (following the "password server = xxx.xxx.xxx.xxx" parameter in
> smb.conf) verifies the username/password from the Windows Domain
> Controller (specified in the "password server = " parameter).
> If the username/password do not exist on the specified password
> server, samba checks the smbpasswd file.
> Once the username/password is validated, the samba server will pass the
> share.
>
> Is the above a fair breakdown, in a very simple implementation?
Close. The Samba server sends a challenge to the client on initial
connect, the client replies on sessionsetup (user logon) with a
username and a cryptographic reply to the challenge based on
the users hashed password.
Now Samba has to authenticate that reply somehow. It can't use
unix passwords as the hashes aren't the same. To do it locally
it can use smbpassword (or a local tdb or an ldap based SAM). To
do this remotely against a Windows DC the Samba server have to
be set up as a member of the domain served by the Windows PDC.
That's where the net XXX (ads or rpc) join comes in.
Once the authentication passes the the Samba server needs to
look up a UNIX user that will represent the logging in client
on this box - that's where you have either local unix users
in /etc/passwd or use winbindd to have remote domain users
appear as local unix users.
Hope this helps,
Jeremy.
More information about the samba
mailing list