[Samba] password authentification

BeefStu BeefStu beefstu350 at hotmail.com
Mon Jun 8 19:56:18 GMT 2009 

Guys,

 

Thanks for your input. I am just trying to keep this as simple as possible. 

 

As mentioned, the setup I see now is bush-league where I have to keep track of a users password in (domain and

with in samba). I just want to be able to tell SAMBA to use my password server and eliminate the need to keep passwords within SAMBA. That sounds straight forward right? At least I hope it does 

 

Being a novice with SAMABA (just started googling it Friday) I did not realize all the pieces involved, 

SAMBA, kerbros, winbind, AD .... I will follow the directions and see where it takes me. Any other more 

comments if you have them would be greatly appreciated.

 

Thanks for all your input

 

Stuart
 
> Date: Mon, 8 Jun 2009 15:31:41 -0400
> From: w.jojo at hvcc.edu
> To: dale at BriannasSaladDressing.com
> CC: beefstu350 at hotmail.com; samba at lists.samba.org
> Subject: Re: [Samba] password authentification
> 
> Dale Schroeder wrote:
> > I don't know AIX, but I do know you will have to configure kerberos on 
> > your system.
> >
> > Since this is AD, it is better to set security to ADS.
> > security = ADS
> > Add your realm
> > realm = hshhp.com (or whatever it is)
> > You can use the default idmap backend, but this is better
> > idmap backend = rid:HSHHP:1000-10000 (or whatever #'s you choose)
> > winbid uid = 1000-10000
> > winbind gid = 1000-10000
> >
> > I found an AIX tutorial for Samba/AD. You will have to determine how 
> > much of it applies to you.
> > http://stgwiki.com/index.php/AIX_Samba_AD
> > This is as step-by-step as I could find.
> >
> 
> Those notes are actually pretty good. I just ran through them, but it 
> all depends on what BeefStu needs.
> 
> Also, you can get more recent bundles (3.2.11 or 3.3.4) from:
> 
> http://pware.hvcc.edu/download/aix53/bundles/samba/
> 
> 
> Cheers,
> Bill
> 
> 
> > Dale
> >
> >
> > BeefStu BeefStu wrote:
> >> Since I am totally lost can somebody please walk me through this? My 
> >> goal is to use AD to do password
> >> authentification and NOT need a password file with in SAMBA. The 
> >> reason being is we have a policy that
> >> our domain password expires every 60 days and I don't want to keep 2 
> >> passwords files in sync. 
> >> I am curretly running samba on an AIX 5.3 machine.
> >> # uname -a
> >> AIX diamond 3 5 000C86CF4C00
> >> 
> >> This is the what I think I need in my smb.conf file in order to use 
> >> AD for password validation.
> >> Is this okay? Am I missing some settings?
> >> 
> >> [global]
> >> workgroup = HSHHP
> >> security = DOMAIN
> >> auth methods = ntdomain
> >> password server = ttndc3
> >> max xmit = 65535
> >> socket options = TCP_NODELAY IPTOS_LOWDELAY
> >> ldap ssl = no
> >> oplocks = no
> >>
> >> Assume that this is all I have setup so far, what next? In the email 
> >> below, it mentions winbind? Can I dowload
> >> that for AIX 5.3, does this come with the OS (if so do I have to 
> >> install it from a particular module). I only care about
> >> AIX since that is where my SAMBA is running.
> >> 
> >> Next, in the article below I see all this talk about Kerbos, do I 
> >> need that? I was under the impression that samba had
> >> Kerbos compiled into its executable. Am I mistaken.
> >> 
> >> Basically, what I am looking for is a step by step instrucution or 
> >> detailed documentaiton on how to get this to work on AIX.
> >>
> >> Thanks to all who answer.
> >> 
> >> 
> >>
> >> 
> >> ------------------------------------------------------------------------
> >> Date: Mon, 8 Jun 2009 12:17:29 -0500
> >> From: dale at BriannasSaladDressing.com
> >> To: beefstu350 at hotmail.com
> >> CC: samba at lists.samba.org
> >> Subject: Re: [Samba] password authentification
> >>
> >> You will need winbind. Easy to understand 2-part howto for linux/AD 
> >> following:
> >> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> >> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 
> >>
> >>
> >> Choose the idmap backend that works for you. I'm partial to RID.
> >> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> >>
> >> And SWAT is a good way to fine-tune your setup. There are links to 
> >> each parameter and what each of them does (if Samba docs are installed).
> >>
> >> Good luck,
> >> Dale
> >>
> >>
> >> BeefStu BeefStu wrote:
> >>
> >> Ed,
> >>
> >> 
> >> Thanks, but I have a few more questions. I took a working example 
> >> of a smb.conf from another machine and placed this into my smb.cnf 
> >> (see below in red). This is the only thing I did on the UNIX end.
> >>
> >> 
> >> To use AD for password verification, I will follow your 
> >> directions below,
> >> but is there anything else I need to do on the UNIX end?
> >>
> >> 
> >> What I am trying to say, is how will samba get the password now 
> >> if there is no password file. I know it will get it from AD, but can 
> >> you take me through step by step as to what happens.
> >> 
> >> Lets assume I want to map a drive. By doing a join does samba 
> >> actually go into AD with my login (it must be cached some how right) 
> >> and look up my password?
> >>
> >> 
> >> Current working version
> >>
> >> [global]
> >> workgroup = hshhp
> >> server string = Samba 3.0.4.0
> >> smb passwd file = /var/samba/private/smbpasswd
> >> log file = /usr/local/samba/var/log.%m
> >> mangle case = Yes
> >>
> >>
> >> 
> >> New version
> >>
> >> [global]
> >> workgroup = hshhp
> >> security = DOMAIN
> >> auth methods = ntdomain
> >> password server = ttndc3
> >> max xmit = 65535
> >> socket options = TCP_NODELAY IPTOS_LOWDELAY
> >> ldap ssl = no
> >> oplocks = No
> >>
> >>
> >> For example, I see things like this (see below) do I need all this?
> >>
> >> 
> >> The smbpasswd File For security reasons we will place the 
> >> smbpasswd file in a private directory using the following commands: 
> >> cd /etc/samba
> >> mkdir private
> >> cd private
> >> touch smbpasswd
> >> chmod 600 smbpasswd
> >> cd ..
> >> chmod 500 private
> >>
> >> Now we will add a dummy entry to the smbpasswd file. To do this, 
> >> first create a user account for yourself on the Linux server [unless 
> >> one already exists], then execute the following commands: cd 
> >> /etc/samba/private
> >> cat /etc/passwd | mksmbpasswd.sh > smbpasswdSetting up winbind? 
> >> 
> >>
> >> From: samba at nedharvey.com <mailto:samba at nedharvey.com>
> >> To: beefstu350 at hotmail.com <mailto:beefstu350 at hotmail.com>; 
> >> samba at lists.samba.org <mailto:samba at lists.samba.org>
> >> Date: Sat, 6 Jun 2009 07:03:54 -0400
> >> Subject: RE: [Samba] password authentification
> >>
> >>
> >>
> >>
> >>
> >> 
> >> I am trying to setup samba so that it uses the password from 
> >> my AD
> >> instead of having a password file in SAMBA.
> >>
> >> Can somebody tell me what I have to do on the windows 2003 
> >> side to make
> >>
> >> this work. I am guessing I have to setup a samaba acct in AD 
> >> but not to
> >> sure. Can somebody please verify and maybe send me a screen 
> >> print.
> >> 
> >> There are a million and one ways to do what you're trying to 
> >> do. The simplest way that I know of - you don't need to do anything 
> >> on the Windows side. You join the domain with the samba server, and 
> >> that will create a computer account in AD for you, just as if you 
> >> were joining AD with some windows laptop. Here's how I do that on my 
> >> systems:
> >> I don't mess with the smb.conf file. I admin the whole 
> >> thing via SWAT, as follows:
> >> 1. Enable SWAT. Browse to http://localhost:901 
> >> <http://localhost:901/> (note: by default in the xinetd.d config, 
> >> this interface is only enabled for localhost; by default you can’t 
> >> browse to this web interface across the network; you must use 
> >> localhost or change the xinetd.d config)
> >> 2. Go to Wizard.
> >> a. Server type: Domain member
> >> b. Commit
> >> 3. Edit Parameter Values
> >> a. Workgroup: MYDOMAIN
> >> b. Realm: MYDOMAIN.COM (all caps)
> >> c. Commit changes
> >> 4. Go to the command prompt.
> >> net join –w MYDOMAIN –U administrator
> >> (It’s normal to get an error, as long as it says “joined” in the 
> >> end and the computer account was created in AD)
> >> 5. Restart samba
> >> _________________________________________________________________
> >> Lauren found her dream laptop. Find the PC that’s right for you.
> >> http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290-- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >> 
> >>
> >> ------------------------------------------------------------------------
> >> Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on 
> >> your BlackBerry or iPhone. 
> >> <http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009> 
> >>
> 

_________________________________________________________________
Windows Live™: Keep your life in sync. 
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009

More information about the samba mailing list