[Samba] RE: password authentification

Edward Ned Harvey samba at nedharvey.com
Mon Jun 8 20:04:47 GMT 2009 

A tough question.  "I know the pass comes from AD, but what exactly
happens."

 

I normally configure my systems to use Kerberos, so users can ssh into the
linux machine before I configure samba, and kerberos is doing the
authentication to AD; however, when I do the "net join" it says Kerberos
failed and falling back to RPC.  I am not sure if there's some
authentication protocol that goes across RPC (such as NTLM, or something
built into RPC itself) . so it's possible that authentication of my samba
server might not be using Kerberos.  I'm really not sure.

 

Protocol aside, this much I can say for sure:

 

When you do the "net join" you must enter a domain administrator password
one time.  This password is not saved or cached on the samba server
anywhere.  This process creates a "computer" object in AD, and incase you
didn't know it, a computer object is very similar to a user object.  All
your computer objects have unique identifiers and keys similar to passwords
but more secure.  It is, as you know, necessary to join a computer onto the
domain before that computer is able to query the domain server for user
authentication.  Once joined, the computer never needs to rejoin, and there
is no further need for the domain admin pass.  From now on, the computer can
uniquely and securely identify itself to the AD server, and when a user
tries to access your samba server, the user's Kerberos keys (or encrypted
password) will be presented to the AD server for authentication.

 

 

 

 

From: BeefStu BeefStu [mailto:beefstu350 at hotmail.com] 
Sent: Monday, June 08, 2009 9:25 AM
To: Edward Ned Harvey; samba at lists.samba.org
Subject: password authentification

 

Ed,
 
Thanks, but I have a few more questions. I took a working example of a
smb.conf from another machine and placed this into my smb.cnf (see below in
red). This is the only thing I did on the UNIX end.
 
To use AD for password verification, I will follow your directions below, 
but is there anything else I need to do on the UNIX end?
 
What I am trying to say, is how will samba get the password now if there is
no password file. I know it will get it from AD, but can you take me through
step by step as to what happens. 
 
Lets assume I want to map a drive. By doing a join does samba actually go
into AD with my login (it must be cached some how right) and look up my
password?
 
Current working version
 [global]
        workgroup = hshhp
        server string = Samba 3.0.4.0
        smb passwd file = /var/samba/private/smbpasswd
        log file = /usr/local/samba/var/log.%m
        mangle case = Yes

 
New version
[global]
        workgroup = hshhp
        security = DOMAIN
        auth methods = ntdomain
        password server = ttndc3
        max xmit = 65535
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        ldap ssl = no
        oplocks = No

For example, I see things like this (see below) do I need all this?
 


The smbpasswd File 


For security reasons we will place the smbpasswd file in a private directory
using the following commands: 

cd /etc/samba
mkdir private
cd private
touch smbpasswd
chmod 600 smbpasswd
cd ..
chmod 500 private

Now we will add a dummy entry to the smbpasswd file. To do this, first
create a user account for yourself on the Linux server [unless one already
exists], then execute the following commands: 

cd /etc/samba/private
cat /etc/passwd | mksmbpasswd.sh  > smbpasswd
Setting up winbind?
 
 


 

  _____  

From: samba at nedharvey.com
To: beefstu350 at hotmail.com; samba at lists.samba.org
Date: Sat, 6 Jun 2009 07:03:54 -0400
Subject: RE: [Samba] password authentification

> I am trying to setup samba so that it uses the password from my AD

> instead of having a password file in SAMBA.

> 

> Can somebody tell me what I have to do on the windows 2003 side to make

> 

> this work. I am guessing I have to setup a samaba acct in AD but not to

> sure. Can somebody please verify and maybe send me a screen print.

 

There are a million and one ways to do what you're trying to do.  The
simplest way that I know of - you don't need to do anything on the Windows
side.  You join the domain with the samba server, and that will create a
computer account in AD for you, just as if you were joining AD with some
windows laptop.  Here's how I do that on my systems:

 

I don't mess with the smb.conf file.  I admin the whole thing via SWAT, as
follows:

1.  Enable SWAT.  Browse to http://localhost:901 <http://localhost:901/>
(note: by default in the xinetd.d config, this interface is only enabled for
localhost; by default you can't browse to this web interface across the
network; you must use localhost or change the xinetd.d config)

2.  Go to Wizard.

a.  Server type:  Domain member

b.  Commit

3.  Edit Parameter Values

a.  Workgroup:  MYDOMAIN

b.  Realm:      MYDOMAIN.COM     (all caps)

c.  Commit changes

4.  Go to the command prompt.
net join -w MYDOMAIN -U administrator
(It's normal to get an error, as long as it says "joined" in the end and the
computer account was created in AD)

5.  Restart samba

 

  _____  

Lauren found her dream laptop. Find the PC that
<http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290> 's right
for you.

More information about the samba mailing list