[Samba] How samba and active directory works

Uri Simchoni uri_simchoni at hotmail.com
Thu Mar 26 20:13:08 GMT 2009



I'm trying to figure out how the various components in a linux machine interact when a samba server serves clients in an active directory. Is there a technical explanation somewhere? The picture I have so far is:

- During initialization, smbd reads the access lists for each share. The lists are defined in terms of "DOMAIN\user" or "+DOMAIN\group". smbd uses glibc calls (getpwent() and friends) to convert these to UID/GID. The glibc routines use the nsswitch, which, in turn, uses winbindd. Winbindd can use its local tdb engine or use ldap to retrieve this info from a remote server.

- the client connects to smbd and authenticates with the Kerberos gssapi libraries. If successful, the output of this process is a string "DOMAIN\user", identifying the user.

- smbd now has to enumerate the groups the user is a member of, to see if any of them matches the access list for the share, and also in general, to assume the identity of the client. It uses "getpwent and friends", which, again, use winbindd. Winbindd has to call ldap in order to get the list of groups (strings of the form "DOMAIN\group"). It uses Kerberos to authenticate to the ldap server. It also has to convert them to GID's - which it may do either by means of the local tdb file or by consulting the ldap server.


Is this remotely correct? how are the SIDs come into play versus the principal names?





More than messages–check out the rest of the Windows Live™.

More information about the samba mailing list