On Mon, 2004-03-22 at 23:46, ww m-pubsyssamba wrote:
> Can anyone tell me if I can configure Samba 3.x to rely only on Kerberos
> authentication (in an AD domain)?
> Ideally I'd like to use local UNIX accounts, not winbind, and negate the need for me
> to add an entry to passdb, then the
> account must exist in AD and locally on each Samba member server for authentication
> to work.
> If there is any info held in passdb, other than the NTLM coded password, which must
> exist for Samba to work then I'd
> like to either enter an unusable password or disable NTLM authentication completely.
> Reason for my second request
> is if I am forced to have users in passdb I don't want to have to worry about the
> data being world readable from a
> security perspective.
I meant to talk to you earlier about this. It is quite OK to have a
system that does not use winbind, and you can still use all the
authentication mechanisms.
You can set 'security=domain' and even 'security=ads' without winbind.
You can also run winbindd (which helps security=domain's performance)
without winbind in nsswitch.
Andrew Bartlett
Hi Andrew,
thanks for your reply, but I have a problem with your suggestion.
This is a revised description of my problem (having re-checked how things are
working), I would like
UNIX users and groups to be visible to Windows clients for the purposes of
permissioning data with
windows explorer. I believe to do this I must run "smbpasswd -a user password" for
each user on each
Samba member server, or run once on one Samba server with a LDAP passdb backend. If I
store the data
in LDAP I have to concern myself with securing the data as access to read or modify
the NTLM password
in passdb is a security hole (Unless I can disable NTLM completely).
Firstly let me clarify what I have setup, my requirement is for multiple Samba 3.x
member servers
in an AD domain. So in my test environment I have a server with "security=ads"
successfully joined
to an AD domain, main problem is at the moment winbind and Solaris NSS won't talk
properly (I'm
discussing this with PADL who contributed this code) so I cannot use winbind to define
local UNIX
users and groups. Instead I have UNIX users & groups in /etc/groups & /etc/passwd.
Without doing
any further configuration this gives me Kerberos access to the Samba server from SMB
clients (although
my previous mail was based in part on the mistaken belief that the account must exist
in passdb before
even Kerberos authentication would work).
That's fine as I now have a working member server, but from a Window client I cannot
assign permissions
to any of the local users or groups. ie if you right click a file or folder on a
client to the Samba
server and browse to the Samba server to graphically select users and groups to grant
permissions to
only the default users and groups are visible:
Everyone
Authenticated Users
ANONYMOUS LOGON
BATCH
CREATOR OWNER
CREATOR GROUP
DIALUP
INTERACTIVE
NETWORK
SERVICE SYSTEM
TERMINAL SERVER USER
in order to see users in this list I have to first run "smbpasswd -a user password"
and in order to see
groups in the list I have to "net groupmap ntgroup=groupname unixgroup=groupname". I
am more than happy
to automate the process of "smbpasswd -a ..." etc but this does then allow access to
Samba by the
password held in the passdb backend. What would be great is if I could disable NTLM
authentication for
the whole server. That way I can store the passdb in LDAP without having to implement
SSL (unless
someone would like to correct me this seems to be a painful process relying on either
manually
installing self signed certificate files or the implementation of a robust certificate
server infrastructure). So I wouldn't need to worry about the security of the passdb
user password field.
Or another option, should I run an automated "smbpasswd -a ..." script on every Samba
member server
using a file based passdb backend? Does it matter if I have multiple Samba member
servers in a domain
with their own local passdb? I believe there is a RID value stored in passdb, does
this need to be the
same across multiple Samba member servers?
If I use winbind I can permission data to groups in my AD domain from a windows
client, but because I
don't have winbind listed in nsswitch.conf these are permissioned against UID's and
GID's which are
unknown to the UNIX OS so this is not useful to me.
Maybe I'm not going about this in the best/easiest way or don't fully understand all
the available
options, so your opinion would be appreciated,
thanks in advance, Andy.
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which
are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy
or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors
e-mails sent or received.
Further communication will signify your consent to this.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
