[Samba] change in AD authentication behaviour since 3.0.24
Robert Cohen
robert.cohen at anu.edu.au
Thu Feb 21 00:31:21 GMT 2008
Charles Marcus CMarcus at Media-Brokers.com wrote
>>On 2/19/2008, Robert Cohen (robert.cohen at anu.edu.au) wrote: I'm not sure
>>whether its the same problem as us.
>> BTW I should mention that we're simply not using winbind. The behaviour I'm
>> talking about is when an XP client machine attempts to connect to our server
>> to get a network share.
>>
>> So winbind doesn't enter into the equation.
>>
>From the 3.0.25 release notes (3rd paragraph is most relevant to you):
>"Member servers, domain accounts, and smb.conf
>=============================================
>Since Samba 3.0.8, it has been recommended that all domain accounts listed
>In smb.conf on a member server be fully qualified with the domain name.
>This is now a requirement. All unqualified names are assumed to be local to
>the Unix host, either as part of the server's local passdb or in the local
>system list of accounts (e.g. /etc/passwd or /etc/group).
>
>The reason for this change is that smbd has transitioned from access checks
>based on string comparisons to token based authorization. All names are
>resolved to a SID and then verified against the logged on user's NT user
>token. Local names will resolve to a local SID, while qualified domain
>names will resolve to the appropriate domain SID.
>If the member server is not running winbindd at all, domain accounts will be
>implicitly mapped to local accounts and their tokens will be modified
>appropriately to reflect the local SID and group membership.
>
This turned out to be the problem. We hadnt been starting winbindd since I
thought it was only relevant if you were using winbind in
/etc/nsswitch.conf.
But as soon as we started winbind, along with other config settings
mentioned earlier, everything just started working.
=======================================
Robert Cohen
More information about the samba
mailing list