Re: [gentoo-user] Samba !

[Stroller <stroller@stellar.eclipse.co.uk>]

On 6 Jan 2006, at 12:32, brunogola wrote:
>
> I have a machine running linux, and i'm authenticating  in a  
> windows 2000 domain (Active directory) using
> samba, winbind and kerberos.

Hi there,

I've done some of this recently, and I don't think you need active  
directory, winbind AND kerberos. My understanding is that all three  
are separate mechanisms for authenticating *nix users against a  
Windows domain.

Active directory is MS's name for LDAP, so if you use that then your  
applications would be compiled using the LDAP USE flag & would treat  
the MS server as an LDAP server. I don't believe its schema's are  
terribly good for *nix users - I use Winbind, which uses PAM to  
appear part of the local authentication process and pass these on to  
the Windows DC.

> What i need to know is if there is a way of making some other machines
> authenticate in this machine, and this machine will ask the  
> password for the windows 2000 domain (only for some
> users, and the user need to be in the /etc/passwd).

It would be helpful if you gave an example of which programs /  
services on which machines (A, B and C??) you need to be able  
authenticate in this way.

> Let me explain: i have a user 'bob' that is not a user in
> the domain, but it has your username and password on my linux  
> machine, so he can authenticate. I have a user
> bgola who has the username on the AD and on the linux machine, but  
> the password isnt on the linux machine, only
> on  the AD. He can authenticate too.
> Resuming: my linux machine will use the username database from its  
> own but the password database from its own
> AND from the AD.

I believe that in this situation it would be unusual to give the  
bgola a username on the Linux machine - he has one on the AD, so if  
you use Winbind then he doesn't need one on the Linux box. He can  
have a homedir, since he may need to store files on the Linux box,  
but that's not the same, I think, as having an account.

For instance on my Linux/Winbind machine on an AD:

	$ getent passwd | grep -e stroller -e ned
	stroller:x:1000:100::/home/stroller:/bin/bash
	ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false
	$ grep -e stroller -e ned /etc/passwd
	stroller:x:1000:100::/home/stroller:/bin/bash
	$ ls -ld ~stroller ~ned
	drwxr-xr-x  3 ned domain users 160 Jan  6 06:32 /home/DOMAIN/ned
	drwxr-xr-x  5 stroller   users        272 Jan  6 03:58 /home/stroller

Both users can authenticate, depending on how the /etc/pam.d/ 
the_authenticating_service is set up. I use pam_mkhomedir.so to  
create a home directory for any users authenticating via Winbind, but  
beware this only works for services which call PAM "session" directives.

I used this guide to set it all up: http://www.samba.org/samba/docs/ 
man/Samba-HOWTO-Collection/winbind.html#id2621482

Please CC me should you reply to the list with further questions,

Stroller.


-- 
gentoo-user@gentoo.org mailing list