From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.54)
	id 1EusMk-00052d-BY
	for garchives@archives.gentoo.org; Fri, 06 Jan 2006 14:14:50 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k06ECj1J012058;
	Fri, 6 Jan 2006 14:12:45 GMT
Received: from mra04.ch.as12513.net (mra04.ch.as12513.net [82.153.252.44])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id k06EAc7k020516
	for <gentoo-user@lists.gentoo.org>; Fri, 6 Jan 2006 14:10:39 GMT
Received: from localhost (localhost [127.0.0.1])
	by mra04.ch.as12513.net (Postfix) with ESMTP id 91F90C074B;
	Fri,  6 Jan 2006 14:10:38 +0000 (GMT)
Received: from mra04.ch.as12513.net ([127.0.0.1])
 by localhost (mra04.ch.as12513.net [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 07613-01-29; Fri,  6 Jan 2006 14:10:37 +0000 (GMT)
Received: from [192.168.1.71] (pornpipe.stroller.uk.eu.org [213.152.39.89])
	by mra04.ch.as12513.net (Postfix) with ESMTP id C869BC0AD7;
	Fri,  6 Jan 2006 14:10:35 +0000 (GMT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0 (Apple Message framework v746.2)
In-Reply-To: <ISO85U$01C0FA26A923C98286D91726EA371D56@terra.com.br>
References: <ISO85U$01C0FA26A923C98286D91726EA371D56@terra.com.br>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <341EF207-ECDB-471C-93F2-84F680F12092@stellar.eclipse.co.uk>
Content-Transfer-Encoding: 7bit
From: Stroller <stroller@stellar.eclipse.co.uk>
Subject: Re: [gentoo-user] Samba !
Date: Fri, 6 Jan 2006 14:10:30 +0000
To: gentoo-user@lists.gentoo.org, brunogola <brunogola@terra.com.br>
X-Mailer: Apple Mail (2.746.2)
X-Virus-Scanned: by Eclipse VIRUSshield at eclipse.net.uk
X-Archives-Salt: aae1d872-2e89-4a0d-9952-a1f7783d6b10
X-Archives-Hash: 9dfe22274b0cd19bca572b2cc24924a7


On 6 Jan 2006, at 12:32, brunogola wrote:
>
> I have a machine running linux, and i'm authenticating  in a  
> windows 2000 domain (Active directory) using
> samba, winbind and kerberos.

Hi there,

I've done some of this recently, and I don't think you need active  
directory, winbind AND kerberos. My understanding is that all three  
are separate mechanisms for authenticating *nix users against a  
Windows domain.

Active directory is MS's name for LDAP, so if you use that then your  
applications would be compiled using the LDAP USE flag & would treat  
the MS server as an LDAP server. I don't believe its schema's are  
terribly good for *nix users - I use Winbind, which uses PAM to  
appear part of the local authentication process and pass these on to  
the Windows DC.

> What i need to know is if there is a way of making some other machines
> authenticate in this machine, and this machine will ask the  
> password for the windows 2000 domain (only for some
> users, and the user need to be in the /etc/passwd).

It would be helpful if you gave an example of which programs /  
services on which machines (A, B and C??) you need to be able  
authenticate in this way.

> Let me explain: i have a user 'bob' that is not a user in
> the domain, but it has your username and password on my linux  
> machine, so he can authenticate. I have a user
> bgola who has the username on the AD and on the linux machine, but  
> the password isnt on the linux machine, only
> on  the AD. He can authenticate too.
> Resuming: my linux machine will use the username database from its  
> own but the password database from its own
> AND from the AD.

I believe that in this situation it would be unusual to give the  
bgola a username on the Linux machine - he has one on the AD, so if  
you use Winbind then he doesn't need one on the Linux box. He can  
have a homedir, since he may need to store files on the Linux box,  
but that's not the same, I think, as having an account.

For instance on my Linux/Winbind machine on an AD:

	$ getent passwd | grep -e stroller -e ned
	stroller:x:1000:100::/home/stroller:/bin/bash
	ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false
	$ grep -e stroller -e ned /etc/passwd
	stroller:x:1000:100::/home/stroller:/bin/bash
	$ ls -ld ~stroller ~ned
	drwxr-xr-x  3 ned domain users 160 Jan  6 06:32 /home/DOMAIN/ned
	drwxr-xr-x  5 stroller   users        272 Jan  6 03:58 /home/stroller

Both users can authenticate, depending on how the /etc/pam.d/ 
the_authenticating_service is set up. I use pam_mkhomedir.so to  
create a home directory for any users authenticating via Winbind, but  
beware this only works for services which call PAM "session" directives.

I used this guide to set it all up: http://www.samba.org/samba/docs/ 
man/Samba-HOWTO-Collection/winbind.html#id2621482

Please CC me should you reply to the list with further questions,

Stroller.


-- 
gentoo-user@gentoo.org mailing list