[gentoo-user] Samba !

[gentoo-user] Samba !

[brunogola]

Good morning ( in brazil ) guys :-)

I know that here is not the best place to ask this, but i dont know where to find information about my dout.

I have a machine running linux, and i'm authenticating  in a windows 2000 domain (Active directory) using
samba, winbind and kerberos. What i need to know is if there is a way of making some other machines
authenticate in this machine, and this machine will ask the password for the windows 2000 domain (only for some
users, and the user need to be in the /etc/passwd). Let me explain: i have a user 'bob' that is not a user in
the domain, but it has your username and password on my linux machine, so he can authenticate. I have a user
bgola who has the username on the AD and on the linux machine, but the password isnt on the linux machine, only
on  the AD. He can authenticate too.
Resuming: my linux machine will use the username database from its own but the password database from its own
AND from the AD.

Does anyone know if its possible? I saw something about password server @ the smb.conf but i dont have ideia of
how it works.

Thanks any awnser and sorry my bad english, i'm trying to learn :-)!

Bruno Gola


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Samba !

[Stroller]

On 6 Jan 2006, at 12:32, brunogola wrote:
>
> I have a machine running linux, and i'm authenticating  in a  
> windows 2000 domain (Active directory) using
> samba, winbind and kerberos.

Hi there,

I've done some of this recently, and I don't think you need active  
directory, winbind AND kerberos. My understanding is that all three  
are separate mechanisms for authenticating *nix users against a  
Windows domain.

Active directory is MS's name for LDAP, so if you use that then your  
applications would be compiled using the LDAP USE flag & would treat  
the MS server as an LDAP server. I don't believe its schema's are  
terribly good for *nix users - I use Winbind, which uses PAM to  
appear part of the local authentication process and pass these on to  
the Windows DC.

> What i need to know is if there is a way of making some other machines
> authenticate in this machine, and this machine will ask the  
> password for the windows 2000 domain (only for some
> users, and the user need to be in the /etc/passwd).

It would be helpful if you gave an example of which programs /  
services on which machines (A, B and C??) you need to be able  
authenticate in this way.

> Let me explain: i have a user 'bob' that is not a user in
> the domain, but it has your username and password on my linux  
> machine, so he can authenticate. I have a user
> bgola who has the username on the AD and on the linux machine, but  
> the password isnt on the linux machine, only
> on  the AD. He can authenticate too.
> Resuming: my linux machine will use the username database from its  
> own but the password database from its own
> AND from the AD.

I believe that in this situation it would be unusual to give the  
bgola a username on the Linux machine - he has one on the AD, so if  
you use Winbind then he doesn't need one on the Linux box. He can  
have a homedir, since he may need to store files on the Linux box,  
but that's not the same, I think, as having an account.

For instance on my Linux/Winbind machine on an AD:

	$ getent passwd | grep -e stroller -e ned
	stroller:x:1000:100::/home/stroller:/bin/bash
	ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false
	$ grep -e stroller -e ned /etc/passwd
	stroller:x:1000:100::/home/stroller:/bin/bash
	$ ls -ld ~stroller ~ned
	drwxr-xr-x  3 ned domain users 160 Jan  6 06:32 /home/DOMAIN/ned
	drwxr-xr-x  5 stroller   users        272 Jan  6 03:58 /home/stroller

Both users can authenticate, depending on how the /etc/pam.d/ 
the_authenticating_service is set up. I use pam_mkhomedir.so to  
create a home directory for any users authenticating via Winbind, but  
beware this only works for services which call PAM "session" directives.

I used this guide to set it all up: http://www.samba.org/samba/docs/ 
man/Samba-HOWTO-Collection/winbind.html#id2621482

Please CC me should you reply to the list with further questions,

Stroller.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Samba !

[brunogola]

Thanks for your help, i'll try to explain a little better what i've already have and what i wanna do :-)

> 
> On 6 Jan 2006, at 12:32, brunogola wrote:
> >
> > I have a machine running linux, and i'm authenticating  in a  
> > windows 2000 domain (Active directory) using
> > samba, winbind and kerberos.
> 
> Hi there,
> 
> I've done some of this recently, and I don't think you need active  
> directory, winbind AND kerberos. My understanding is that all three  
> are separate mechanisms for authenticating *nix users against a  
> Windows domain.
> 
> Active directory is MS's name for LDAP, so if you use that then your  
> applications would be compiled using the LDAP USE flag & would treat  
> the MS server as an LDAP server. I don't believe its schema's are  
> terribly good for *nix users - I use Winbind, which uses PAM to  
> appear part of the local authentication process and pass these on to  
> the Windows DC.
> 

My notebook running linux is already authenticating against the win. domain (AD). I've done this using samba,
kerberos5 and winbind (pam modules etc), thats woring perfectly :-)

Now, what i need : my desktop (that is another linux machine) authenticanting against my notebook, using samba,
but the problem is that samba is already configured @ the notebook as a AD Domain member :S. 

> > What i need to know is if there is a way of making some other machines
> > authenticate in this machine, and this machine will ask the  
> > password for the windows 2000 domain (only for some
> > users, and the user need to be in the /etc/passwd).
> 
> It would be helpful if you gave an example of which programs /  
> services on which machines (A, B and C??) you need to be able  
> authenticate in this way.
> 

Well, the principal service is a VMWare GSX Server running on my notebook, i need to be able to authenticate
(using the vmware-console) from any machine in my network (windows or linux). I think the vmware thing is the
less important part, cause it should be easy editing pam.d/vmware-authd after everthing is configured.

> > Let me explain: i have a user 'bob' that is not a user in
> > the domain, but it has your username and password on my linux  
> > machine, so he can authenticate. I have a user
> > bgola who has the username on the AD and on the linux machine, but  
> > the password isnt on the linux machine, only
> > on  the AD. He can authenticate too.
> > Resuming: my linux machine will use the username database from its  
> > own but the password database from its own
> > AND from the AD.
> 
> I believe that in this situation it would be unusual to give the  
> bgola a username on the Linux machine - he has one on the AD, so if  
> you use Winbind then he doesn't need one on the Linux box. He can  
> have a homedir, since he may need to store files on the Linux box,  
> but that's not the same, I think, as having an account.
> 

I want to have bgola on the linux machine for a control propose, or, only authenticate if the user exists on
the machine. This is already working for console/ssh/etc on the Notebook. 

> For instance on my Linux/Winbind machine on an AD:
> 
> 	$ getent passwd | grep -e stroller -e ned
> 	stroller:x:1000:100::/home/stroller:/bin/bash
> 	ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false
> 	$ grep -e stroller -e ned /etc/passwd
> 	stroller:x:1000:100::/home/stroller:/bin/bash
> 	$ ls -ld ~stroller ~ned
> 	drwxr-xr-x  3 ned domain users 160 Jan  6 06:32 /home/DOMAIN/ned
> 	drwxr-xr-x  5 stroller   users        272 Jan  6 03:58 /home/stroller
> 
> Both users can authenticate, depending on how the /etc/pam.d/ 
> the_authenticating_service is set up. I use pam_mkhomedir.so to  
> create a home directory for any users authenticating via Winbind, but  
> beware this only works for services which call PAM "session" directives.
> 
> I used this guide to set it all up: http://www.samba.org/samba/docs/ 
> man/Samba-HOWTO-Collection/winbind.html#id2621482
> 
> Please CC me should you reply to the list with further questions,
> 
> Stroller.
> 
> 
> -- 
> gentoo-user@gentoo.org mailing list
> 
> 

Resume: I need to transform my notebook (that is a AD Domain Member) in a Auth server, but with out leaving the
AD Domain Member status, because it will need to get the passwd for some accounts from the AD Server.


Thanks for your help,
Bruno Gola 


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Samba !

[Stroller]

On 6 Jan 2006, at 16:24, brunogola wrote:
>
> My notebook running linux is already authenticating against the  
> win. domain (AD). I've done this using samba,
> kerberos5 and winbind (pam modules etc), thats woring perfectly :-)
>
> Now, what i need : my desktop (that is another linux machine)  
> authenticanting against my notebook, using samba,
> but the problem is that samba is already configured @ the notebook  
> as a AD Domain member :S.
> ...
> Well, the principal service is a VMWare GSX Server running on my  
> notebook, i need to be able to authenticate
> (using the vmware-console) from any machine in my network (windows  
> or linux). I think the vmware thing is the
> less important part, cause it should be easy editing pam.d/vmware- 
> authd after everthing is configured.
> ...
> I want to have bgola on the linux machine for a control propose,  
> or, only authenticate if the user exists on
> the machine. This is already working for console/ssh/etc on the  
> Notebook.

I'm afraid I'm not sure how much I can help here - it's not something  
I'd do because philosophically I disagree with your approach. That's  
not to say it's not right _for you_ but I wouldn't have a user in two  
places (on the Linux box & the AD). You even have the possibility  
with this approach, I think to separate separate users & passwords  
(for a single auth) between the two boxes. Will VMWare GSX use the ~  
for the user on the Linux box or for the user on the AD to store its  
files?

Personally, I'd have the user exist on the domain or possibly on the  
Linux box, but not on both.

Since you say that VMWare GSX Server (which I'm not familiar with)  
uses PAM it should be possible to get this to authenticate users on  
either the AD or /etc/passwd OR BOTH. It should be possible to use  
some other mechanism - possibly group memberships - to restrict   
VMWare GSX Server log-in rights to or from certain users. Dovecot  
IMAP, for instance, has a "deny passdb" and also a valid userID  
range. I would personally consider this kind of approach more elegant.

I'm not trying to be snobby saying "I wouldn't do it this way", just  
sorry I can't help. Good luck with it.

Stroller.

-- 
gentoo-user@gentoo.org mailing list