[Samba] Samba Authenitcation Via Active Directroy

Toby Bluhm tkbsmb at midwestinstruments.com
Fri Feb 16 14:59:11 GMT 2007

Jonathan C. Detert wrote:
> * Toby Bluhm <tkbsmb at midwestinstruments.com> [070216 07:23]:
>> Brijesh Shukla wrote:
>>> Hi Samba/Active directory List
>>> Can any one please let me know, how can i authenticate a user on Samba
>>> Machine via Active Directory.
>>> Let me describe my question in more detail.
>>> I have Active directory as a domain controller on widows 2003 Server 
>>> on the
>>> same network I have Linux machine that is
>>> running the Samba server under the domain contrller of Active Directory.
>>> I have list of registerd user on Active directory but all of them is not
>>> having the account on Samba machine, how can
>>> rest of the user who is not having linux account on Samba machine can 
>>> access
>>> the shared folder on Linux (Samba server).
>>> Example, if x, y, z are the registerd user on Active directory and in the
>>> same Domian I have Samba server.
>>> I have created an account for x (Add user ) in Linux Samba machine, 
>>> now x is
>>> able to access the samba server
>> >from any machine to linux. but rest of the other user (Y and Z) can not
>>> access the Samba server thoug they are
>>> registerd in Active directory as the same previlege ad X. Suppose If i 
>>> have
>>> a 1000 of account in Active directory
>>> then I have to create 1000 of account in Samba server to make them 
>>> eligible
>>> to access shared folder on Linux is it the case....
>>> While in windows-XP enviroment and one of the registerd user in Active
>>> Directory can access any one Machine in same domain..
>>> Kindly teach me...
>>> Thanks & Regards
>>> Brijesh Shukla
>> You will need to configure winbind.
> I'm not sure that is true; I think one could use pam_ldap alone instead.
> However, I agree that winbind is a good choice.
>> Have you reviewed the docs at samba.org?
>> Official HowTo Collection - Chapter 2 Domain Member Server, Chapter 14 
>> Identity Mapping.
>> Samba3 By Example - Chapter 7 Adding Domain Member Servers and Clients
> The direct answer is, 'No', you don't have to create all 1000 accounts on
> the Samba server (though you may still have to create the homedirs).  You
> can use winbind instead, as Toby pointed out, and
> the above mentioned documentation contains all you need to know.
> To give you a general idea of what you'll learn from the above
> documentation:
> Essentially, winbind maps unix uids and gids to Ms.ActiveDirectory sids.
> Winbind offerrs 2 or 3 mutually exclusive ways to do that mapping.
> The simplest way is for winbind to maintain its own, unshared map, local
> to the samba server.  The uids and gids that winbind uses in this case,
> are unique to the local samba server (i.e. the same mapping cannot be
> used on some other host).

Using idmap_rid will bypass that little mapping problem. It combines the 
Windows SID and a base number to form predictable UIDs/GIDs.

> More complex ways to make winbind do its sid-> uid/gid mapping include:
> a) get the map from an ldap server
> b) get the map from an MsA.D. server that has had its schema extended
>    with unix attributes (mssfu).
> I believe there is another mapping method too, that I don't know well
> enough to summarize.
> None of the winbind mapping strategies handle making home directories.
> If you need home dirs, you might be able to use pam_mkhomedir to make
> them automatically for you.



More information about the samba mailing list