[Samba] Samba 4.8.3 - Stand-alone server

Rowland penny rpenny at samba.org
Tue Aug 20 07:24:19 UTC 2019 

On 19/08/2019 21:29, Bob Wyatt wrote:
> Rowland,
>
> I wish to thank you for your patience with me and your responses...
> This note is also to seek some clarity, if I may...
> The clarity desired is prefixed with [BW]...
>
> Bob Wyatt
> -----Original Message-----
> From: Rowland penny <rpenny at samba.org>
> Sent: Saturday, August 17, 2019 1:26 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.8.3 - Stand-alone server
>
> On 17/08/2019 17:47, Bob Wyatt via samba wrote:
>> The network administrator added the guest parameter when we could not
>> successfully connect otherwise.
>>
>> It is not desired to acquire access as a guest.
> Then remove 'map to guest = Bad User' from [global] and make
> 'AXIARListen' look like this:
>
> [AXIARListen]
>         comment = Axiar Listen directory Retrieval
>         path = /AXIAR/listen
>         read only = no
>         create mask = 0770
>
>>   From my experience with Samba3, I was expecting Windows to cache the
>> credentials until the next user workstation reboot.
> It would, if you create users correctly, which brings us to 'unix
> password sync = no', change the 'no' to 'yes' and create Unix users and
> then make them Samba users with 'smbpasswd -a username' run by root or
> with sudo.
>
>
> [BW] In the STA domain, unix, and samba, using userid bwyatt; passwords
> are the same for the three users. Trying to map the share failed before the
> initial post here, and before the network administrator added the guest clause
> to AxiarListen. I'll test this again after the adjustments recommended.
> Setting passwd sync = 'yes' can be done easily; the current application changes
> the unix password separately from the samba password (as they were version 3).
>
>> The samba login credentials for users added were not in the domain\username
>> format; they were local (to RHEL) login I.D.'s, such as bwyatt.
> Yes, I supposed that they were Unix users.
>> When the user credentials box pops up, I have no way to be rid of the domain
>> part of the credentials; we want to use the same login I.D. (such as bwyatt)
>> for both RHEL/database access and Samba share access.
> on a standalone server another name for 'domain' is 'workgroup' so you
> need to be entering 'STA' here
>> This server's user login is not a domain user I.D.; aside from me, the
>> logins are totally disparate.
> Hard luck, they need to be Unix & Samba users that match your Windows
> users.
>
> [BW] We don’t want Samba being a DC; we were doing standalone to maintain
> some degree of separation between the domain and the database. The issue we'd
> like to avoid is forcing the user to change their samba and unix user passwds
> whenever they change the domain passwd; we fear it will be the forgotten step.
> If we join the database server to the domain (no more separation), and configure
> for single sign-on, will we still need to update samba passwd?
>    
> Two final thoughts, your email client is terrible and if you reply to
> this, please reply to the thread, do not open a new one.
> [BW] Yea, that was my fault. I normally use Outlook (I know) for work, and I
> use gmail for other stuff. It just so happens this address is sync'd in Outlook
> (sorry).
> Rowland
>
>
> Thanks again for your patience and assistance!
>
I think your problems all stem from your efforts to keep everything 
separate ;-)

Even if you do use a standalone server, then your windows users (if you 
want to use authentication) will have to be known to the standalone 
server with the same password (unless they want to be asked for their 
password every time).

If you are running a domain, I do not understand why you do not just 
join the standalone server to the domain as a Unix domain member, all 
your authentication problems would then go away.

Another name for a Windows PC that is not joined to a domain is a 
standalone server, would you run a Windows machine in the same way that 
you are running this Samba machine ?

If you insist on running Samba as a standalone server, then you should 
create any Windows users, that you want to access it, as Unix & Samba 
users using the Same password as the Windows user. You will then need to 
come up with some way to change the passwords on the standalone server 
when the users Window password is changed. Still want to run Samba as a 
standalone server ?

Just one final thought, a group of standalone servers (Unix and/or 
Windows) is called a workgroup and they were terrible to maintain once 
you got past a dozen users/computers because of the user password 
problem, why do you think Microsoft came up with domains in the first 
place, they do not scale.

Rowland

More information about the samba mailing list