[Samba] password authentification
Dale Schroeder
dale at BriannasSaladDressing.com
Mon Jun 8 19:15:08 GMT 2009
I don't know AIX, but I do know you will have to configure kerberos on
your system.
Since this is AD, it is better to set security to ADS.
security = ADS
Add your realm
realm = hshhp.com (or whatever it is)
You can use the default idmap backend, but this is better
idmap backend = rid:HSHHP:1000-10000 (or whatever #'s you choose)
winbid uid = 1000-10000
winbind gid = 1000-10000
I found an AIX tutorial for Samba/AD. You will have to determine how
much of it applies to you.
http://stgwiki.com/index.php/AIX_Samba_AD
This is as step-by-step as I could find.
Dale
BeefStu BeefStu wrote:
> Since I am totally lost can somebody please walk me through this? My
> goal is to use AD to do password
> authentification and NOT need a password file with in SAMBA. The
> reason being is we have a policy that
> our domain password expires every 60 days and I don't want to keep 2
> passwords files in sync.
>
> I am curretly running samba on an AIX 5.3 machine.
> # uname -a
> AIX diamond 3 5 000C86CF4C00
>
> This is the what I think I need in my smb.conf file in order to use AD
> for password validation.
> Is this okay? Am I missing some settings?
>
> [global]
> workgroup = HSHHP
> security = DOMAIN
> auth methods = ntdomain
> password server = ttndc3
> max xmit = 65535
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> ldap ssl = no
> oplocks = no
>
> Assume that this is all I have setup so far, what next? In the email
> below, it mentions winbind? Can I dowload
> that for AIX 5.3, does this come with the OS (if so do I have to
> install it from a particular module). I only care about
> AIX since that is where my SAMBA is running.
>
> Next, in the article below I see all this talk about Kerbos, do I need
> that? I was under the impression that samba had
> Kerbos compiled into its executable. Am I mistaken.
>
> Basically, what I am looking for is a step by step instrucution or
> detailed documentaiton on how to get this to work on AIX.
>
> Thanks to all who answer.
>
>
>
>
> ------------------------------------------------------------------------
> Date: Mon, 8 Jun 2009 12:17:29 -0500
> From: dale at BriannasSaladDressing.com
> To: beefstu350 at hotmail.com
> CC: samba at lists.samba.org
> Subject: Re: [Samba] password authentification
>
> You will need winbind. Easy to understand 2-part howto for linux/AD
> following:
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>
> Choose the idmap backend that works for you. I'm partial to RID.
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>
> And SWAT is a good way to fine-tune your setup. There are links to
> each parameter and what each of them does (if Samba docs are installed).
>
> Good luck,
> Dale
>
>
> BeefStu BeefStu wrote:
>
> Ed,
>
>
>
> Thanks, but I have a few more questions. I took a working example of a smb.conf from another machine and placed this into my smb.cnf (see below in red). This is the only thing I did on the UNIX end.
>
>
>
> To use AD for password verification, I will follow your directions below,
>
> but is there anything else I need to do on the UNIX end?
>
>
>
> What I am trying to say, is how will samba get the password now if there is no password file. I know it will get it from AD, but can you take me through step by step as to what happens.
>
>
>
> Lets assume I want to map a drive. By doing a join does samba actually go into AD with my login (it must be cached some how right) and look up my password?
>
>
>
> Current working version
>
> [global]
> workgroup = hshhp
> server string = Samba 3.0.4.0
> smb passwd file = /var/samba/private/smbpasswd
> log file = /usr/local/samba/var/log.%m
> mangle case = Yes
>
>
>
>
> New version
>
> [global]
> workgroup = hshhp
> security = DOMAIN
> auth methods = ntdomain
> password server = ttndc3
> max xmit = 65535
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> ldap ssl = no
> oplocks = No
>
>
> For example, I see things like this (see below) do I need all this?
>
>
>
> The smbpasswd File
> For security reasons we will place the smbpasswd file in a private directory using the following commands: cd /etc/samba
> mkdir private
> cd private
> touch smbpasswd
> chmod 600 smbpasswd
> cd ..
> chmod 500 private
>
> Now we will add a dummy entry to the smbpasswd file. To do this, first create a user account for yourself on the Linux server [unless one already exists], then execute the following commands: cd /etc/samba/private
> cat /etc/passwd | mksmbpasswd.sh > smbpasswdSetting up winbind?
>
>
>
>
> From: samba at nedharvey.com <mailto:samba at nedharvey.com>
> To: beefstu350 at hotmail.com <mailto:beefstu350 at hotmail.com>; samba at lists.samba.org <mailto:samba at lists.samba.org>
> Date: Sat, 6 Jun 2009 07:03:54 -0400
> Subject: RE: [Samba] password authentification
>
>
>
>
>
>
>
> I am trying to setup samba so that it uses the password from my AD
> instead of having a password file in SAMBA.
>
> Can somebody tell me what I have to do on the windows 2003 side to make
>
> this work. I am guessing I have to setup a samaba acct in AD but not to
> sure. Can somebody please verify and maybe send me a screen print.
>
>
>
> There are a million and one ways to do what you're trying to do. The simplest way that I know of - you don't need to do anything on the Windows side. You join the domain with the samba server, and that will create a computer account in AD for you, just as if you were joining AD with some windows laptop. Here's how I do that on my systems:
>
> I don't mess with the smb.conf file. I admin the whole thing via SWAT, as follows:
> 1. Enable SWAT. Browse to http://localhost:901 <http://localhost:901/> (note: by default in the xinetd.d config, this interface is only enabled for localhost; by default you can’t browse to this web interface across the network; you must use localhost or change the xinetd.d config)
> 2. Go to Wizard.
> a. Server type: Domain member
> b. Commit
> 3. Edit Parameter Values
> a. Workgroup: MYDOMAIN
> b. Realm: MYDOMAIN.COM (all caps)
> c. Commit changes
> 4. Go to the command prompt.
> net join –w MYDOMAIN –U administrator
> (It’s normal to get an error, as long as it says “joined” in the end and the computer account was created in AD)
> 5. Restart samba
> _________________________________________________________________
> Lauren found her dream laptop. Find the PC that’s right for you.
> http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290--
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> ------------------------------------------------------------------------
> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on
> your BlackBerry or iPhone.
> <http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009>
More information about the samba
mailing list