topic Re: samba authentication in Operating System - HP-UX

samba authentication

Smucker — Wed, 13 Jul 2005 12:51:20 GMT

Curretly we have or HP systems configured as Domain members (Windows PDC). This allows our user to access file shares on the system (only if there are defined to the HP system). I would like to remove this restriction ( I would like the users to be able to access these shares with out having to be defined on the HP systems). What would be the best way to authenticate these users via windows PDC

Re: samba authentication

RAC_1 — Wed, 13 Jul 2005 13:17:38 GMT

You need to set your smb.conf file right. to authenticate from windows PDC, you would require one of the following as security directive.

security="windows_pdc_domain"
or
security=server

Check following document, it is very helpful.
http://www.oreilly.com/catalog/samba/chapter/book

Anil

Re: samba authentication

Smucker — Thu, 14 Jul 2005 02:58:12 GMT

We already run security="Domain". However this still forces us to define the user to unix (or the smbpasswd file) but authenticates password via the PDC. The defining of the users to unix is what I want to get away from....

I will read this book

Re: samba authentication

Rainer von Bongartz — Thu, 14 Jul 2005 03:31:17 GMT

You have to use winbind for this.

see man winbindd

Regards
Rainer

Re: samba authentication

Smucker — Thu, 14 Jul 2005 05:38:32 GMT

Can you please elaborate on this.

I have been able to find much information on winbind/samba

Thanks

Re: samba authentication

Geoff Wild — Thu, 14 Jul 2005 08:14:49 GMT

Use winbind:

Winbind - only works in Samba 3 and up.

First, backup old files:

cp -p /etc/opt/samba/smb.conf /etc/opt/samba/smb.conf.bak
cp -p /etc/opt/samba/username.map /etc/opt/samba/username.map.bak

Install new Samba (if needed)

Verify it is installed:

swlist |grep CIFS

Add to windbind to /etc/nsswitch.conf:

passwd: files winbind
group: files winbind

Add or change /etc/opt/samba/smb.conf

security = DOMAIN

idmap uid = 10000-30000
idmap gid = 10000-30000
template primary group = users
winbind separator = +

as well as valid users, example:

valid users = WINDOWSDOMAIN+user1, WINDOWSDOMAIN+user2

then, for each share, set the valid users as well, example:

[src]
path = /usr/local/src
valid users = WINDOWSDOMAIN+user1, WINDOWSDOMAIN+user2
force user = genericunixid

Note: force user sets the Unix permissions to the uid of that user - so it must be a Unix id.

zero out the username.map file - no longer needed.

May or may not need to re-join the WINDOWSDOMAIN domain:

/opt/samba/bin/net rpc join -U administrator

Start Samba and windbind from either SWAT ( http://server:901 ) or command line:

/opt/samba/bin/startsmb -w

Verify you can connect from Windows by:

Start -> Run -> \\server

Note: you will need IPC share for \\server:

[IPC$]
hosts allow = 192.168.163.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
valid users = WINDOWSDOMAIN+gwild

Check log files on Samba Server in /var/opt/samba if it doesn't seem to be working.

Rgds...Geoff

Re: samba authentication

Smucker — Thu, 14 Jul 2005 10:21:09 GMT

Thanks, however as previously stated I did not want to have to define these users
( valid users = WINDOWSDOMAIN+user1, WINDOWSDOMAIN+user2) to the unix machine I would samba to validate these users automatically...no signon/password from windows .

I think winbind is the answer but I need to get it working (under LINUX). I tried your steps but it is still missing something.

Re: samba authentication

Geoff Wild — Thu, 14 Jul 2005 21:26:19 GMT

Well - if you don't want to validate with Windows - then you don't need winbind....

You could just use SECURITY=USER and use smbpasswd and map users to a Unix id (could be just one if you use a username.map).

But your original question stated:
"What would be the best way to authenticate these users via windows PDC"

So I'm a bit confused....sorry...

Rgds...Geoff

Re: samba authentication

Geoff Wild — Fri, 15 Jul 2005 05:38:19 GMT

BTW - did you set

password server = NTDCSERVER1, NTDCSERVER2, etc

Rgds...Geoff

Re: samba authentication

Smucker — Fri, 15 Jul 2005 07:55:44 GMT

Thanks for all the responses. My goal for this was to eliminate the need to manage users either on the Linux or the Samba side. I wanted to eliminate the double handling of user accounts (NT & Linux). By Using winbind and PAM I was able to do so. thanks for all the suggestions.