using 2000 Server to authenticate users for Samba
 

I'm using Samba version 2.2.1a on Red Hat 7.2. I have a Windows 2000 Server domain with 2000 Pro clients. I added the Linux machine to Users and Computers in Active Directory. I can see the Linux machine and the share I created in Samba in My Network Places. Before configuring smb.conf to set up 2000 Server to authenticate users for access to the Linux share, I could access the Linux share fine. In smb.conf, I set security = server and password server = *. After, when trying to connect to the share, I get the following message on the 2000 Pro machines: Incorrect password or unknown username. Some please help.

I'd seriously consider upgrading to a later version of RH/Samba. I'm not up to date on the various versions of samba, but with RH 9, I use security=domain. This requires linux machine to have been joined to the domain (not sure that this is the same, or simply accomplished by, adding the machine through the users and computers console). It also requires linux accounts on the linux machine corresponding to the accounts on the windows machine, but you do not need samba accounts. With security=server, I think you are going to not only have to have a linux account and password for each windows user account, but a samba account and password.

I suggest you read this to understand the various samba security modes.

I've been considering upgrading Samba, probably am going to do that tomorrow. Thanks for the link.

Does anyone else have any thoughts on this? Would it help if I posted my smb.conf? Understand, I've done a ton of reading on this subject and came up with nothing but conflicting answers. If anyone has anything to add, please don't be shy.

Have you configured samba accounts and passwords? I think you need to do that with security=server. Read here for instructions on configuring samba passwords.

Assuming that you have samba passwords and accounts corresponding to your Windows passwords and accounts, then users logged in on a windows machine should be able to access their home directories on the linux machine (as well as any public shares).

To be clear, on the linux machine, you need both linux accounts and samba accounts/passwords. Assume you have a windows user named "joeblow" with a password of "password." Set up a linux account for "joeblow." Then configure a samba account/password for "joeblow" with a password of "password" using the steps outlined in the link above. (There is a better way, for managing these samba accounts, but I suggest you do it the way described above first so that you understand what is involved.) Now with "joeblow" logged into the windows machine, have him browse the network and find the samba server. When he double clicks on it, his "joeblow/password" credentials get passed to the samba server, and a window opens showing his home directory and public shares on the samba server.

Just another comment, prompted by taking another look at the subject header for this thread.

security=server doesn't really constitute "using 2000 Server to authenticate users for Samba." If you read the first link I posted on samba security levels, you'll see where it describes security=server as a form of security=user. That's why you need the samba passwords.

You need security=domain for samba to rely on a Windows server for authentication. And the windows server has to be a domain controller. I suggest you look into how this level of security is configured, and especially the command necessary to get your linux machine trusted by the domain. It is in that first link I posted.

Thanks for the additional info. I do have a 2000 Server domain controller, in native mode. I had tried setting security = domain and then tried using the command smbpasswd -j [domain controller] -r [domain name] -Uadmin%password (with my acutal names and passwords, not this generic example), and I got two consecutive error messages. I cannot remember offhand the exact content of the messages (which I can post later), but the jist was "failed". That's why I tried adding the Linux machine into Active Directory on the domain controller side. I'm not sure, but I'm wondering if the problem here might be my version of Samba.

In any case, thanks for all the links, I'm going to read them all and try to get this working later tonight.

I was not able to figure out what the problem was with the version of Samba I was using. However, upgrading to v3.0.0 helped. In v3.0.0 I was able to use the "net rpc join" command (not available in the version I was previously using) to connect the Samba machine to the 2000 domain, and with "security = domain" everything worked well.

I did indeed need a corresponding Linux account on the Linux machine. I did have one set up for testing when I was using the previous version of Samba. Now I'm trying to get winbind to work to eliminate the need for the Linux accounts (it's not going well).

Thank you for the help, baz2.

Glad to help. On windbind, why do you think you need it? I'm asking, because I'm still trying to figure out the role of windbind if using a linux machine as a file server as opposed to a workstation. I've installed it a few times, just to play around with it. What it does -- from my perspective -- is allow NT/2K domain users to log in locally on a linux machine. That's fine, if the machine is to be used as a user workstation, but I generally do not want users logging into my servers. (Plus, I haven't figured out yet how to serve up roaming profiles to linux workstations running windbind, and until I do, that limits their usefulness as a NT/2K domain workstation from my point of view.)

So I find that security=domain, with linux accounts on the linux box, adequate for my purposes (as a file server for NT/2K roaming profiles, and as a print server). Especially nice, from my POV, is that the linux accounts need not have a password matching the password of the NT/2K user being authenticated by the DC. This keeps the user from being able to log into the server with their NT/2K account.

Good luck with samba. It has been a lifesaver for me.