Hi Gordon, The reason I didn't want to run winbind is because I don't want to run my AD server in compatability mode, which I believe is required for windbind to be able to use a "CID" to query the users and groups stored in the AD. Maybe I am wrong?
~ Rodre -----Original Message----- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: Monday, May 09, 2005 3:39 PM To: Rodre Ghorashi-Zadeh Subject: RE: [Samba] Samba & Win2k AD domain membership No, you need winbind to use domain groups. Kerberos (as it is used by Samba) validates the password. If you're not using winbind, then Samba uses /etc/passwd and /etc/group for the username to user id (uid) mapping. If you choose to list all of your Domain Admin users in /etc/passwd and /etc/group, then it will work without winbind. (However, you will be unable to manage the group list with Active Directory tools, obviously.) You might want to read this paragraph on the Name Service Switch (NSS) http://www.samba.org/samba/docs/man/Samba-HOWTO- Collection/winbind.html#id2596800 . You can think of winbind as magically extending the /etc/passwd and /etc/group files, the same way that NIS or other unix domain services do. (But not /etc/shadow. Authentication is handled separately via PAM.) Hmm.. anyway, I'm not sure you need to understand all this to get it working. (I'm not sure I understand it all ;). It sounds like you DO want to run winbind, at least in /etc/nsswitch.conf. Is there a reason you don't want to run winbind? For example, do you want to prevent users from telnetting to the box? (that should be the default, unless you modify /etc/pam.d/login). I'm not running it simply because I ran out of time on the project, and the things we needed worked ok without it. Gordon On Mon, 2005-05-09 at 09:35 -0700, Rodre Ghorashi-Zadeh wrote: > Hello, > > Thanks for your response. So if I understand this correctly, the Kerberos > authenticates the client for access to the share, but the smbusers file maps > Windows accounts to UNIX accounts for file system access on the Samba > server? Also, if I use the "force user =x" parameter on the share would I > still be able to have the Windows "Domain Admins" group perform > Read/Write/Delete operations on the share, and the "Domain Users" group > perform only Read operations? If so, could you please provide a smb.conf > example? Thanks again. > > ~ Rodre > > -----Original Message----- > From: Gordon Hopper [mailto:[EMAIL PROTECTED] > Sent: Sunday, May 08, 2005 11:08 PM > To: Rodre Ghorashi-Zadeh > Cc: [email protected] > Subject: Re: [Samba] Samba & Win2k AD domain membership > > No, you don't need to run winbind (provided that all of your Samba users > already have unix accounts, or you list them in your smbusers file). I > use Samba+Kerberos (with Active Directory) without running winbind. I > didn't modify my pam settings because I'm using Kerberos only for Samba. > > Note that, in this scenario, my AD users cannot log in to the box (with > e.g. telnet). Also, I map the file permissions with "force user = x", > since the users don't have a read uid on the box. (Also, I can't access > AD groups without winbind... There are some downsides, but Samba does > work without it.) > > Regards, > > Gordon Hopper > > > On Sat, 2005-05-07 at 13:17 -0700, Rodre Ghorashi-Zadeh wrote: > > Hello, > > > > I am trying to setup my samba server version 3.0.10-1.fc3 as a Win2k > Domain > > Member. What I need to know is once I have ADS security and Kerberos > > working, do I still need to use winbind or ldap for client authentication > or > > will Kerberos take care of it? > > > > > > > > Rodre Ghorashi-Zadeh > > > > Chief Systems Engineer > > > > Conduit Technical Environments Corporation > > > > 604.785.4888 > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
