[Samba] Join an ADS Domain and provide simple password security

Ingo Krabbe ingo.krabbe at eoa.de
Sat Oct 11 04:01:25 MDT 2014 

> Why do you need to connect to the domain ? if this was known, there may 
> be another way round this.

Living in an office network, there are some services that can be accessed either by a login password or they may be accessed free of exchanging credentials, for all members of a domain. As I use plan9 too, that is completely free of being able to join windows domains, I share the files using cifs and the authentication is done through the plan9 factotum authentication agent. So I'm able to use very strange passwords that are not memorable or guessable.

Being a long-term unix user this concept is a bit strange, as I think of computer systems as multi user systems, while in the windows samba world a "machine" joins the domain.

Anyway I try to get identified against different services through the domain membership, better than exchanging, caching and storing the same password any time. Services are

	http/https svn and git repositories
	smtp, pop3 ldap
	maybe some more

.

regards
ingo krabbe



> On 11/10/14 10:02, Ingo Krabbe wrote:
>> Hi,
>>
>> I'm used to share some files and trees with samba from linux boxes, using simple password security for a few selected accounts, by using `smbpasswd` and `security=user`. Now I sometimes want to enter a domain in my company office network.
>>
>> But I could not use `net ads join` as long as I haven't changed `security=user` to `security=ads`.
>>
>> I'm a bit confused now:
>>
>> I joined a domain with security=ads and started winbindd with this setting. Now I moved my samba configuration back to `security=user` so I can use my local user accounts.
>>
>> Still winbind echoes the domain users and smbtree shows the domain hosts, but the share server now works in another domain, that is local to the system it runs on.
>>
>> Is this configuration valid, or will it fail?
> 
> Probably.
> 
>>
>> What is the idea of joining a domain anyway?
> 
> Centralisation of authentication of users, groups etc. You only need to 
> add users etc in one place and they are available everywhere in the domain.
> 
>>
>> Can I join an ads domain with the linux host and provide 'security = user' shares on the same machine? If yes, how?
> 
> If you join a samba machine to a domain it will look to the domain 
> server for authentication, samba will ignore any local users, so the 
> answer to your question is very probably 'No'. There may be some way of 
> making it work, but it will involve some contorted way of doing things 
> that I am not aware of and will probably be not recommended.
> 
> You originally seemed to be running a 'workgroup', this is a simple way 
> of sharing directories etc and the users need to be both Unix and samba 
> users, when you join a domain, all the users are just 'domain' users. 
> Once you have joined a domain, you can only go back if you stop samba, 
> remove all the samba databases, reset smb.conf and then restart samba, 
> you will then need to re-add all your local users to samba.
> 
> Why do you need to connect to the domain ? if this was known, there may 
> be another way round this.
> 
> Rowland
> 
>> Regards,
>>
>> Ingo Krabbe
>>
>>
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list