[Samba] password authentification

Dale Schroeder dale at BriannasSaladDressing.com
Mon Jun 8 19:15:08 GMT 2009


I don't know AIX, but I do know you will have to configure kerberos on 
your system.

Since this is AD, it is better to set security to ADS.
    security = ADS
Add your realm
    realm = hshhp.com (or whatever it is)
You can use the default idmap backend, but this is better
    idmap backend = rid:HSHHP:1000-10000 (or whatever #'s you choose)
    winbid uid = 1000-10000
    winbind gid = 1000-10000

I found an AIX tutorial for Samba/AD.  You will have to determine how 
much of it applies to you.
http://stgwiki.com/index.php/AIX_Samba_AD
This is as step-by-step as I could find.

Dale


BeefStu BeefStu wrote:
> Since I am totally lost can somebody please walk me through this? My 
> goal is to use AD to do password
> authentification and NOT need a password file with in SAMBA. The 
> reason being is we have a policy that
> our domain password expires every 60 days and I don't want to keep 2 
> passwords files in sync. 
>  
> I am curretly running samba on an AIX 5.3 machine.
> # uname -a
> AIX diamond 3 5 000C86CF4C00
>  
> This is the what I think I need in my smb.conf file in order to use AD 
> for password validation.
> Is this okay? Am I missing some settings?
>  
> [global]
>         workgroup = HSHHP
>         security = DOMAIN
>         auth methods = ntdomain
>         password server = ttndc3
>         max xmit = 65535
>         socket options = TCP_NODELAY IPTOS_LOWDELAY
>         ldap ssl = no
>         oplocks = no
>
> Assume that this is all I have setup so far, what next? In the email 
> below, it mentions winbind? Can I dowload
> that for AIX 5.3, does this come with the OS (if so do I have to 
> install it from a particular module). I only care about
> AIX since that is where my SAMBA is running.
>  
> Next, in the article below I see all this talk about Kerbos, do I need 
> that? I was under the impression that samba had
> Kerbos compiled into its executable. Am I mistaken.
>  
> Basically, what I am looking for is a step by step instrucution or 
> detailed documentaiton on how to get this to work on AIX.
>
> Thanks to all who answer.
>  
>  
>
>  
> ------------------------------------------------------------------------
> Date: Mon, 8 Jun 2009 12:17:29 -0500
> From: dale at BriannasSaladDressing.com
> To: beefstu350 at hotmail.com
> CC: samba at lists.samba.org
> Subject: Re: [Samba] password authentification
>
> You will need winbind.  Easy to understand 2-part howto for linux/AD 
> following:
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>
> Choose the idmap backend that works for you.  I'm partial to RID.
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>
> And SWAT is a good way to fine-tune your setup.  There are links to 
> each parameter and what each of them does (if Samba docs are installed).
>
> Good luck,
> Dale
>
>
> BeefStu BeefStu wrote:
>
>     Ed,
>
>      
>
>     Thanks, but I have a few more questions. I took a working example of a smb.conf from another machine and placed this into my smb.cnf (see below in red). This is the only thing I did on the UNIX end.
>
>      
>
>     To use AD for password verification, I will follow your directions below, 
>
>     but is there anything else I need to do on the UNIX end?
>
>      
>
>     What I am trying to say, is how will samba get the password now if there is no password file. I know it will get it from AD, but can you take me through step by step as to what happens. 
>
>      
>
>     Lets assume I want to map a drive. By doing a join does samba actually go into AD with my login (it must be cached some how right) and look up my password?
>
>      
>
>     Current working version
>
>      [global]
>             workgroup = hshhp
>             server string = Samba 3.0.4.0
>             smb passwd file = /var/samba/private/smbpasswd
>             log file = /usr/local/samba/var/log.%m
>             mangle case = Yes
>
>
>      
>
>     New version
>
>     [global]
>             workgroup = hshhp
>             security = DOMAIN
>             auth methods = ntdomain
>             password server = ttndc3
>             max xmit = 65535
>             socket options = TCP_NODELAY IPTOS_LOWDELAY
>             ldap ssl = no
>             oplocks = No
>
>
>     For example, I see things like this (see below) do I need all this?
>
>      
>
>     The smbpasswd File 
>     For security reasons we will place the smbpasswd file in a private directory using the following commands: cd /etc/samba
>     mkdir private
>     cd private
>     touch smbpasswd
>     chmod 600 smbpasswd
>     cd ..
>     chmod 500 private
>
>     Now we will add a dummy entry to the smbpasswd file. To do this, first create a user account for yourself on the Linux server [unless one already exists], then execute the following commands: cd /etc/samba/private
>     cat /etc/passwd | mksmbpasswd.sh  > smbpasswdSetting up winbind?  
>
>      
>
>
>     From: samba at nedharvey.com <mailto:samba at nedharvey.com>
>     To: beefstu350 at hotmail.com <mailto:beefstu350 at hotmail.com>; samba at lists.samba.org <mailto:samba at lists.samba.org>
>     Date: Sat, 6 Jun 2009 07:03:54 -0400
>     Subject: RE: [Samba] password authentification
>
>
>
>
>
>       
>
>         I am trying to setup samba so that it uses the password from my AD
>         instead of having a password file in SAMBA.
>
>         Can somebody tell me what I have to do on the windows 2003 side to make
>
>         this work. I am guessing I have to setup a samaba acct in AD but not to
>         sure. Can somebody please verify and maybe send me a screen print.
>             
>
>      
>     There are a million and one ways to do what you're trying to do.  The simplest way that I know of - you don't need to do anything on the Windows side.  You join the domain with the samba server, and that will create a computer account in AD for you, just as if you were joining AD with some windows laptop.  Here's how I do that on my systems:
>      
>     I don't mess with the smb.conf file.  I admin the whole thing via SWAT, as follows:
>     1.  Enable SWAT.  Browse to http://localhost:901 <http://localhost:901/>  (note: by default in the xinetd.d config, this interface is only enabled for localhost; by default you can’t browse to this web interface across the network; you must use localhost or change the xinetd.d config)
>     2.  Go to Wizard.
>     a.  Server type:  Domain member
>     b.  Commit
>     3.  Edit Parameter Values
>     a.  Workgroup:  MYDOMAIN
>     b.  Realm:      MYDOMAIN.COM     (all caps)
>     c.  Commit changes
>     4.  Go to the command prompt.
>     net join –w MYDOMAIN –U administrator
>     (It’s normal to get an error, as long as it says “joined” in the end and the computer account was created in AD)
>     5.  Restart samba
>     _________________________________________________________________
>     Lauren found her dream laptop. Find the PC that’s right for you.
>     http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290-- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba
>
>       
>
>
> ------------------------------------------------------------------------
> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on 
> your BlackBerry or iPhone. 
> <http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009>


More information about the samba mailing list