[Samba] Re: Domain Server Problem

Wed May 6 07:51:16 GMT 2009

"Pete Clapham" <peteclapham at sbcglobal.net> wrote in message
news:850942.27310.qm at web80503.mail.mud.yahoo.com...
>Hi --
>I am trying to set up an additional domain server (not >PDC or BDC), so
that students can get to the material >on the server. When I type "net use
w: >\\water\archive" (where water is the domain server and >archive is a
share), I invariably get the message that I >need to input a user ID and
password. If I put in my >own ID/Password for the server (even though it's
>identical with the ID/password on the PDC) it goes >through fine. However,
if I am logged on to the network >as another user and put in his/her
ID/Password it doesn't >work.

>My User ID/Password are the only combination on both >the PDC and the
additional server. If I try to log onto >the additional server with a User
ID/Password that's >valid on the domain it doesn't work; If I try to log
onto >the additional server with a User ID/Password that's >valid on the
additional server it doesn't work. It would >seem that SAMBA is looking at
the Unix ID/Password >on the PDC and the SMBPasswd on the additional
>so far that's mine.

>Does this make sense to anybody? And what do I need >to do? I do have
authentication set on the Additional >Domain server to DOMAIN. Doesn't this
mean that >SAMBA should be reading both the Unix and >SMBPasswd files on the
PDC?

Perhaps I can shed some light on this.

Samba runs as a service on a Linux box.  In this way it is different from
Windows which is the underlying operating system.

For a user to access a Linux machine and its services, he must have a
username and password on that machine.

One option is to use the /etc/passwd file and another is to use LDAP.
Either way, the Linux box will have to authenticate the user before he can
access the box or its services.

Samba gets around this by mapping the Samba account to the underlying Linux
account.  When you create a Samba user, the corresponding Linux account is
created with the same name.  If LDAP is not being used, the user exists in
the smbpasswd and passwd files.   If LDAP is being used, the Samba and Linux
account information are both stored in a single LDAP record.

This is easy to understand on a PDC since Samba creates both accounts on the
machine.

If you want to access an additional Linux machine, you must add the users to
the
file/database against which the machine is authenticating users.  If you are
using LDAP it is easy.  Simply configure the additional machine to
authenticate users against the same LDAP directory that the PDC uses.  As
far as the Linux box is concerned, the user is authorized for access since
his account can be authenticated against a user/password source.

If LDAP is not being used, one needs to find a way to automatically add the
users to the additional Linux box.  One can create add user scripts to
achieve this.

Chapter 7 of Samba by Example explains your options.  Read the entire
chapter.  Pay special attention to the section entitled "NT4/Samba Domain
with Samba Domain Member Server without NSS Support"

It explains how the add user script automatically creates the Linux user
acccounts when the users try to gain access to the additional machine.

"The following steps may be followed to implement Samba with support for
local accounts. In this configuration Samba is made a domain member server.
All incoming connections to the Samba server will cause the look-up of the
incoming username. If the account is found, it is used. If the account is
not found, one will be automatically created on the local machine so that it
can then be used for all access controls. "

We used this approach in the Samba 2.x days when LDAP support was not as
extensive as it is today.

I would recommend using LDAP for authenticating against multiple Samba
servers.  It is a much cleaner solution since only a single
username/password source is required.