[Samba] Samba Authenitcation Via Active Directroy

Jonathan C. Detert detertj at msoe.edu
Fri Feb 16 14:07:24 GMT 2007

* Toby Bluhm <tkbsmb at midwestinstruments.com> [070216 07:23]:
> Brijesh Shukla wrote:
> >Hi Samba/Active directory List
> >Can any one please let me know, how can i authenticate a user on Samba
> >Machine via Active Directory.
> >Let me describe my question in more detail.
> >I have Active directory as a domain controller on widows 2003 Server 
> >on the
> >same network I have Linux machine that is
> >running the Samba server under the domain contrller of Active Directory.
> >I have list of registerd user on Active directory but all of them is not
> >having the account on Samba machine, how can
> >rest of the user who is not having linux account on Samba machine can 
> >access
> >the shared folder on Linux (Samba server).
> >
> >Example, if x, y, z are the registerd user on Active directory and in the
> >same Domian I have Samba server.
> >I have created an account for x (Add user ) in Linux Samba machine, 
> >now x is
> >able to access the samba server
> >from any machine to linux. but rest of the other user (Y and Z) can not
> >access the Samba server thoug they are
> >registerd in Active directory as the same previlege ad X. Suppose If i 
> >have
> >a 1000 of account in Active directory
> >then I have to create 1000 of account in Samba server to make them 
> >eligible
> >to access shared folder on Linux is it the case....
> >While in windows-XP enviroment and one of the registerd user in Active
> >Directory can access any one Machine in same domain..
> >Kindly teach me...
> >Thanks & Regards
> >Brijesh Shukla
> You will need to configure winbind.

I'm not sure that is true; I think one could use pam_ldap alone instead.
However, I agree that winbind is a good choice.

> Have you reviewed the docs at samba.org?
> Official HowTo Collection - Chapter 2 Domain Member Server, Chapter 14 
> Identity Mapping.
> Samba3 By Example - Chapter 7 Adding Domain Member Servers and Clients

The direct answer is, 'No', you don't have to create all 1000 accounts on
the Samba server (though you may still have to create the homedirs).  You
can use winbind instead, as Toby pointed out, and
the above mentioned documentation contains all you need to know.

To give you a general idea of what you'll learn from the above

Essentially, winbind maps unix uids and gids to Ms.ActiveDirectory sids.
Winbind offerrs 2 or 3 mutually exclusive ways to do that mapping.

The simplest way is for winbind to maintain its own, unshared map, local
to the samba server.  The uids and gids that winbind uses in this case,
are unique to the local samba server (i.e. the same mapping cannot be
used on some other host).

More complex ways to make winbind do its sid-> uid/gid mapping include:
a) get the map from an ldap server
b) get the map from an MsA.D. server that has had its schema extended
   with unix attributes (mssfu).

I believe there is another mapping method too, that I don't know well
enough to summarize.

None of the winbind mapping strategies handle making home directories.
If you need home dirs, you might be able to use pam_mkhomedir to make
them automatically for you.
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.

More information about the samba mailing list