On Fri, Oct 29, 2004 at 09:16:02AM -0700, DeStefano, Paul wrote: | Solution: ADS, perhaps? | | I've read lots of documents and they seem to indicated | that, when using ADS authentication (by which I mean | security=ADS and the proper relm, etc.) winbind is NOT | involved in the authentication process. It says smbd | participates in Kerberos ticketing, like a normal "Domain | Member", to authorize samba clients. (Details found here: | http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-me | mber.html) I think means it gets the client user authorization | directly from ADS; winbind is not involved. | | Well, if that's true, then samba has everything it needs to | authorize clients by group membership, not just authenticate users, | without consulting winbind. The Kerberos ticket that it receives | during authentication includes all sorts of information about the | user...including the users group memberships. Is that right? | | This isn't particular to ADS, I suppose, now that I think about it; | probably the same as before ADS. But, I couldn't find any examples | of samba using windows authentication without winbind. | | You're probably wondering what is going to happen after | authentication and authorization without winbind to map users to | UNIX UIDs. Me too. That's my follow up question. I hope that samba | can use the unqualified username (without the 'DOMAIN\' prefix) | to find a match using the normal resolution so that we can just | populate /etc/passwd. Think that will work? Actually, we intend to | use "force user =", as in the past, so it really doesn't matter what | happens with the UID mappings, but samba might not be that clever. | It may insist on successfully resolving usernames before checking | options like "force user".
If you have a mapping in the passwd(5) file between the username (without 'DOMAIN\' prefix) and a UID, things should work without needing "winbind" in nsswitch.conf; the user's password is checked against ADS and the passwd(5) entry is used to provide a UID. If there is not a matching entry in passwd(5) for the ADS user, they will not be able to connect. Cheers, Luke.
pgpDJj8YVlSmr.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
