HPE Community
Operating System - HP-UX
1833770 Members
2605 Online
110063 Solutions
New Discussion

Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

 
Alzhy
Honored Contributor

‎12-01-2005 08:09 AM

‎12-01-2005 08:09 AM

Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

Is it possible to define shares with accesses using Windows account names and groups so username maps and creation of equivalent UNIX accounts is avoided?

Or do I need winbind for this?

Hakuna Matata.
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎12-01-2005 08:26 AM

‎12-01-2005 08:26 AM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

Shalom Nelson,

Hope you and the harley are well.

Samba for HP-UX has a mechanism for preventing problems with numeric user ID's at least Samba 3 does.

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D792689%26qt%3D%252BSamba%2B%252BUID%2B%252Bmatch%26hit%3D3&aid=SEARCH_FORUMS&pil=3&serStr=Samba+UID+match&pir=3

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fbizsupport%2Fquestionanswer.do%253FthreadId%253D967252%26qt%3D%252BSamba%2B%252BUID%2B%252Bmatch%26hit%3D2&aid=SEARCH_FORUMS&pil=2&serStr=Samba+UID+match&pir=2

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D772038%26qt%3D%252BSamba%2B%252BUID%2B%252Bmatch%26hit%3D1&aid=SEARCH_FORUMS&pil=1&serStr=Samba+UID+match&pir=1

Manuals covering the topic.
http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2F32650-90492%2Fch09s01.html%26qt%3D%2BSamba%2BUID%2Bmatch%26hit%3D1&aid=SEARCH_MANUAL&pil=1&serStr=Samba+UID+match

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2F32650-90498%2Fch04s04.html%26qt%3D%2BSamba%2BUID%2Bmatch%26hit%3D9&aid=SEARCH_MANUAL&pil=9&serStr=Samba+UID+match

There is a set procedure deep in these manuals for dealing with this issue.

I have checked a Linux Samba Server and a HP-UX samba server at work.

Neither of them uses winbind.

We have a setup where all users are part of an NIS domain and Unix Id's are set up separately, only for actual command line users.

Our Samba servers allow Windows users to access HP-UX and Linux Samba shares without use of windbind.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎12-01-2005 08:26 AM

‎12-01-2005 08:26 AM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

You need winbind....

Then in the global section of smb.conf:

wins server = X.X.X.X, Y.Y.Y.Y, orntdomainservername
winbind enum users = No
winbind enum groups = No
idmap uid = 10000-30000
idmap gid = 10000-30000
template primary group = users
winbind separator = +
valid users = NTDOM+user1, NTDOM+gwild


Then add the users to the "Valid Users" of the shares...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎12-01-2005 08:28 AM

‎12-01-2005 08:28 AM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

Upon further reflection and more accurate search, we are using winbind.

Searched smb.conf for the wrong term.

Apologies.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
eric roseme
Respected Contributor

‎12-01-2005 08:53 AM

‎12-01-2005 08:53 AM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

If you can, upgrade to the latest HP CIFS Server version from the web - it's A.02.02, based upon Samba 3.0.14a:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

We've made several enhancements to wbinfo (-u, -g, -l, -L) to help clarify mapping of user/group names to UID/GID.

Remember that mappings are associated only on the local HP-UX server. If you have separate HP CIFS Servers in the same domain running winbind, then you will likely have different UID/GIDs mappings. We will be delivering a feature (next release, probably) to calculate IDs based upon the Windows Relative Identifier for this called idmap_rid, which will in most cases sync the ID mappings on separate servers.

Eric Roseme
Hewlett-Packard
0 Kudos
Reply
Alzhy
Honored Contributor

‎12-01-2005 12:42 PM

‎12-01-2005 12:42 PM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

Stephen, thanks. Me and the Harley are fine.

Geoff, thanks.

Eric,
We are using A.02.0X ... Samba 3.07 based. So to realize a more seamless integration of our Samba services as true domain members - would you recommend to still use domain security (and Winbind) or go with ADS. Our Windows Network runs a mix of Win2K and Win2003 which use ADS.

It's just that our use of CIFS will be so extensive and we'd like to secure our shares w/o the admin headache of creating username maps and/or avoid creating UNIX accounts for each Windows account.

For our current Security = Domain configs - we use WINS. We request "machine accounts" for the HP-UX machines running CIFS and do:

net rpc oldjoin

On our sprinkling of Samba 2.x.x, we use smbpasswd -j ...

Hakuna Matata.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎12-01-2005 12:43 PM

‎12-01-2005 12:43 PM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

If you have ADS - I'd go with it - that's what I did recently (I was forced to).

For steps, see my thread here:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Alzhy
Honored Contributor

‎12-01-2005 02:45 PM

‎12-01-2005 02:45 PM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

I was just actually finishing reding through the Admin Guide for CIFS Server A.02.02 (Samba 3.014?)... So with SECURITY = ADS and enabling Winbind, I can totally do away with Username maps and creating corresponding NT accounts on UNIX?

Also will I be able to specify NT Group Names for my share definitions?

i.e.

[GRAPHICS]
path = /usr/sap/xfer/dserp
valid users = DOM+ntid,$MYDOM+ntgrp
force user = uxgrfx
force group = uxgrfgrp

and what about Windows Group Names that have spaces?

Hakuna Matata.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎12-02-2005 01:15 AM

‎12-02-2005 01:15 AM

Re: Samba w/ security=domain - how to use Windows Groups/Usernames so Username Maps are avoided?

Yes - you will no longer need username.map with security =ADS.

As far as nt groups - I have tried that - it seems flaky - sometimes it works - sometimes it doesn't...

I don't have any groups/users with spaces - so I don't know - but I would tell them NT admins that spaces in a group/user name is bad form! :)


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.