HPE Community
Operating System - HP-UX
1830060 Members
2183 Online
109998 Solutions
New Discussion

CIFS/9000 server - authentication

 
SOLVED
Go to solution
Dee_3
Regular Advisor

‎12-19-2003 07:49 AM

‎12-19-2003 07:49 AM

CIFS/9000 server - authentication

I have an hp-ux 11.0 server running CIFS/9000 server in domain security mode - I have a Windows PDC.
Can I be a user on the Windows side - using a share on the Unix side without having to add the Win user to the Unix system?
(This is my first attempt at playing with Samba and I am having fits trying to get to the shares I have defined on the Unix system).
I think it would be an administrative nightmare to have to add all the Win user ids to the Unix system to make this work!
PLEASE HELP! :-) Dee
0 Kudos
Reply
10 REPLIES 10
Helen French
Honored Contributor

‎12-19-2003 07:53 AM

‎12-19-2003 07:53 AM

Re: CIFS/9000 server - authentication

If your CIFS/9000 server is part of that domain (member server), then you can log in with your domain accout and should be able to access the shares. You still need to have proper rights to access those shares (file system as well as printers). Check your user permissions for that share.
Life is a promise, fulfill it!
0 Kudos
Reply
Dee_3
Regular Advisor

‎12-19-2003 08:04 AM

‎12-19-2003 08:04 AM

Re: CIFS/9000 server - authentication

Will check that - another question - who am I coming into the Unix (CIFS server) as if I do not have that login id on the Unix system?
0 Kudos
Reply
Helen French
Honored Contributor

‎12-19-2003 08:15 AM

‎12-19-2003 08:15 AM

Re: CIFS/9000 server - authentication

Since you are logging to the domain first, your authentication will be done at that level. Once you are logged in and when you access the share, CIFS/9000 will look your permissions. Since you have domain securiy level set for the CIFS share, it will be authenticated, unless otherwise specified.

You don't need to be authenticated by HP-UX, since you are not actually logging to the HP server, but accessing a share only in CIFS. CIFS will check your permissions (on domain level and other if specified.
Life is a promise, fulfill it!
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎12-19-2003 08:17 AM

‎12-19-2003 08:17 AM

Re: CIFS/9000 server - authentication

You will not actually be logging into the Unix system. If you set up a Samba share on your Unix server, then it will be presented to your Windows-based systems just like any other share from any other Windows-based system would be. Access is authenticated against the NT Domain. So if you allow Domain Users access to the Samba share then any of your users will be able to access it.
Remember, wherever you go, there you are...
0 Kudos
Reply
Dee_3
Regular Advisor

‎12-19-2003 08:39 AM

‎12-19-2003 08:39 AM

Re: CIFS/9000 server - authentication

How am I allowing the Domain Users group to acess the Samba share - in other words in my smb.conf file - what parameter am I talking about - valid users parm did not seem to work properly...
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎12-19-2003 08:49 AM

‎12-19-2003 08:49 AM

Re: CIFS/9000 server - authentication

There are examples of how to specify shares/permissions at the end of the smb.conf file.

I would recommend you read this document as well..

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B8725-90053/B8725-90053_top.html&con=/hpux/onlinedocs/B8725-90053/00/00/6-con.html&toc=/hpux/onlinedocs/B8725-90053/00/00/6-toc.html&searchterms=samba&queryid=20031219-144736
Remember, wherever you go, there you are...
0 Kudos
Reply
Dee_3
Regular Advisor

‎12-19-2003 08:57 AM

‎12-19-2003 08:57 AM

Re: CIFS/9000 server - authentication

Thanks for the URL but I have read both that manual and the O'Reily Samba manual.
To do a quick test - I created a user id on the Unix side - then put that user in the valid user parm in the share section of the smb.conf file. - Lo and behold - I was able to access the share!! When I deleted the user on the unix side(that matched the win side) it quit working until I opened that share in the smb.conf to public = yes.

This goes against everything I thought you gents were telling me. So what other parm do I have incorrectly defined that would force this behavior. Thanks, Dee
0 Kudos
Reply
Garry Ferguson
Frequent Advisor

‎12-21-2003 08:31 PM

‎12-21-2003 08:31 PM

Solution

Re: CIFS/9000 server - authentication

I beg to disagree with some replies.
I think you DO have to add the users to the unix system. I don't see how else it can work. Say the unix users are user1 to user10 and they are in groups grp1 and grp2. If the
Windows client user names and groups do not match up at all how can access possibly be granted. There would be no basis for controlling access. Here we have users added to both systems. The "security = domain" smb.conf option ( which we use ) might mean that the password can be verified from the PDC and not the unix machine and so the windows and unix passwords can differ. It dos not mean , however , that the unix
username can be absent from the unix system
You can download the "Using Samba" book from
http://www.oreilly.de/catalog/samba/chapter/book/indexpdf.html
Garry Ferguson
Reply
Darren Prior
Honored Contributor

‎12-21-2003 11:55 PM

‎12-21-2003 11:55 PM

Re: CIFS/9000 server - authentication

Hi Dee,

Garry is correct - you MUST have user defined on the HP-UX box. These users need to be mapped to the Windows users. All the authentication is done through the Windows PDC. Your testing also neatly proved this ;-)

To quote from the O'Reilly book "Using Samba", "The only local administration required on the Samba server will be creating directories for users to work in and /etc/passwd entries to keep their UIDs and groups in.

Regarding mapping - you can either create the HP-UX accounts with the same names as the Windows users (not always possible if they use long names), or you can use the "username map" parm and create a file that links the 2 sets of names. The smb.conf man page and the O'Reilly book both go into some details on different ways of doing this.

best regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Dee_3
Regular Advisor

‎01-06-2004 04:10 AM

‎01-06-2004 04:10 AM

Re: CIFS/9000 server - authentication

Thanks for validating my tests. Thought I was going crazy for a minute. I am going to start public and see how bad they want it locked down. Appreciate all the responses! Dee
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.