[Samba] password authentification
William Jojo
w.jojo at hvcc.edu
Mon Jun 8 19:31:41 GMT 2009
Dale Schroeder wrote:
> I don't know AIX, but I do know you will have to configure kerberos on
> your system.
>
> Since this is AD, it is better to set security to ADS.
> security = ADS
> Add your realm
> realm = hshhp.com (or whatever it is)
> You can use the default idmap backend, but this is better
> idmap backend = rid:HSHHP:1000-10000 (or whatever #'s you choose)
> winbid uid = 1000-10000
> winbind gid = 1000-10000
>
> I found an AIX tutorial for Samba/AD. You will have to determine how
> much of it applies to you.
> http://stgwiki.com/index.php/AIX_Samba_AD
> This is as step-by-step as I could find.
>
Those notes are actually pretty good. I just ran through them, but it
all depends on what BeefStu needs.
Also, you can get more recent bundles (3.2.11 or 3.3.4) from:
http://pware.hvcc.edu/download/aix53/bundles/samba/
Cheers,
Bill
> Dale
>
>
> BeefStu BeefStu wrote:
>> Since I am totally lost can somebody please walk me through this? My
>> goal is to use AD to do password
>> authentification and NOT need a password file with in SAMBA. The
>> reason being is we have a policy that
>> our domain password expires every 60 days and I don't want to keep 2
>> passwords files in sync.
>> I am curretly running samba on an AIX 5.3 machine.
>> # uname -a
>> AIX diamond 3 5 000C86CF4C00
>>
>> This is the what I think I need in my smb.conf file in order to use
>> AD for password validation.
>> Is this okay? Am I missing some settings?
>>
>> [global]
>> workgroup = HSHHP
>> security = DOMAIN
>> auth methods = ntdomain
>> password server = ttndc3
>> max xmit = 65535
>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>> ldap ssl = no
>> oplocks = no
>>
>> Assume that this is all I have setup so far, what next? In the email
>> below, it mentions winbind? Can I dowload
>> that for AIX 5.3, does this come with the OS (if so do I have to
>> install it from a particular module). I only care about
>> AIX since that is where my SAMBA is running.
>>
>> Next, in the article below I see all this talk about Kerbos, do I
>> need that? I was under the impression that samba had
>> Kerbos compiled into its executable. Am I mistaken.
>>
>> Basically, what I am looking for is a step by step instrucution or
>> detailed documentaiton on how to get this to work on AIX.
>>
>> Thanks to all who answer.
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> Date: Mon, 8 Jun 2009 12:17:29 -0500
>> From: dale at BriannasSaladDressing.com
>> To: beefstu350 at hotmail.com
>> CC: samba at lists.samba.org
>> Subject: Re: [Samba] password authentification
>>
>> You will need winbind. Easy to understand 2-part howto for linux/AD
>> following:
>> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>>
>>
>> Choose the idmap backend that works for you. I'm partial to RID.
>> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>>
>> And SWAT is a good way to fine-tune your setup. There are links to
>> each parameter and what each of them does (if Samba docs are installed).
>>
>> Good luck,
>> Dale
>>
>>
>> BeefStu BeefStu wrote:
>>
>> Ed,
>>
>>
>> Thanks, but I have a few more questions. I took a working example
>> of a smb.conf from another machine and placed this into my smb.cnf
>> (see below in red). This is the only thing I did on the UNIX end.
>>
>>
>> To use AD for password verification, I will follow your
>> directions below,
>> but is there anything else I need to do on the UNIX end?
>>
>>
>> What I am trying to say, is how will samba get the password now
>> if there is no password file. I know it will get it from AD, but can
>> you take me through step by step as to what happens.
>>
>> Lets assume I want to map a drive. By doing a join does samba
>> actually go into AD with my login (it must be cached some how right)
>> and look up my password?
>>
>>
>> Current working version
>>
>> [global]
>> workgroup = hshhp
>> server string = Samba 3.0.4.0
>> smb passwd file = /var/samba/private/smbpasswd
>> log file = /usr/local/samba/var/log.%m
>> mangle case = Yes
>>
>>
>>
>> New version
>>
>> [global]
>> workgroup = hshhp
>> security = DOMAIN
>> auth methods = ntdomain
>> password server = ttndc3
>> max xmit = 65535
>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>> ldap ssl = no
>> oplocks = No
>>
>>
>> For example, I see things like this (see below) do I need all this?
>>
>>
>> The smbpasswd File For security reasons we will place the
>> smbpasswd file in a private directory using the following commands:
>> cd /etc/samba
>> mkdir private
>> cd private
>> touch smbpasswd
>> chmod 600 smbpasswd
>> cd ..
>> chmod 500 private
>>
>> Now we will add a dummy entry to the smbpasswd file. To do this,
>> first create a user account for yourself on the Linux server [unless
>> one already exists], then execute the following commands: cd
>> /etc/samba/private
>> cat /etc/passwd | mksmbpasswd.sh > smbpasswdSetting up winbind?
>>
>>
>> From: samba at nedharvey.com <mailto:samba at nedharvey.com>
>> To: beefstu350 at hotmail.com <mailto:beefstu350 at hotmail.com>;
>> samba at lists.samba.org <mailto:samba at lists.samba.org>
>> Date: Sat, 6 Jun 2009 07:03:54 -0400
>> Subject: RE: [Samba] password authentification
>>
>>
>>
>>
>>
>>
>> I am trying to setup samba so that it uses the password from
>> my AD
>> instead of having a password file in SAMBA.
>>
>> Can somebody tell me what I have to do on the windows 2003
>> side to make
>>
>> this work. I am guessing I have to setup a samaba acct in AD
>> but not to
>> sure. Can somebody please verify and maybe send me a screen
>> print.
>>
>> There are a million and one ways to do what you're trying to
>> do. The simplest way that I know of - you don't need to do anything
>> on the Windows side. You join the domain with the samba server, and
>> that will create a computer account in AD for you, just as if you
>> were joining AD with some windows laptop. Here's how I do that on my
>> systems:
>> I don't mess with the smb.conf file. I admin the whole
>> thing via SWAT, as follows:
>> 1. Enable SWAT. Browse to http://localhost:901
>> <http://localhost:901/> (note: by default in the xinetd.d config,
>> this interface is only enabled for localhost; by default you can’t
>> browse to this web interface across the network; you must use
>> localhost or change the xinetd.d config)
>> 2. Go to Wizard.
>> a. Server type: Domain member
>> b. Commit
>> 3. Edit Parameter Values
>> a. Workgroup: MYDOMAIN
>> b. Realm: MYDOMAIN.COM (all caps)
>> c. Commit changes
>> 4. Go to the command prompt.
>> net join –w MYDOMAIN –U administrator
>> (It’s normal to get an error, as long as it says “joined” in the
>> end and the computer account was created in AD)
>> 5. Restart samba
>> _________________________________________________________________
>> Lauren found her dream laptop. Find the PC that’s right for you.
>> http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290--
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> ------------------------------------------------------------------------
>> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on
>> your BlackBerry or iPhone.
>> <http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009>
>>
More information about the samba
mailing list