Originally Posted by vathsan
I work as an system administrator for AIX and Linux servers. We have an FTP server running in Linux which has shared folders to Windows domain using Samba.
The new requirement is to map users created to Linux machine to Windows users in such a way that, when a user logins into Windows machine with an ID say "X123" in domain "TEST", his access control to the samba shares should reflect based on the same user ID created in Linux machine.(FYI. Both the Windows and LINUX machines are in same network and domain).
Please let me know the step by step procedure to configure Linux machine (smb.conf entries or any new file to be created for user mapping) to identify Windows user Login and provide access restrictions accordingly. Any docs or existing solutions are much appreciated!!.
Please respond for any more details / clarifications needed.
Thanks in Advance!!
SAMBA provides a number of different ways to authenticate users and identify them. If you add each user with "smbpasswd" and make the user name and password identical to the Windows system then users will be logged on automatically (Windows sends the user name and encrypted password).
You can also use "winbindd" to have SAMBA directly authenticate users with the primary domain controller.
You can find out more about either program in the man pages.
There are two d's at the end of "winbindd".
Users and groups are identified by a SID (Security ID) and that comes from some computer that authenticates the user. Without a domain controller each computer authenticates users based on its own user database and each computer has a different SID for the same user name even if the passwords are identical. It is only the fact that the password will be sent automatically that avoids the need to explicitly log on to each other computer.
When a domain controller is present, computers agree to trust that domain controller to authenticate users. Users receive an SID for the domain. Computers that trust the domain controller accept the SID and identity of the user from the domain controller.
How a user logs on is important. If a user logs on to the domain then they receive an SID for the domain. If they log on to a single computer then they receive a different SID as a user just on that one computer. Thus the two users are considered different even if they have the same user name and password.
The "winbindd" service communicates with a domain controller to authenticate users for the domain instead of using a local (and separate) database (as with smbpasswd).
Since user names on domain controllers may differ from those on the Linux machine, there is a "username map" option in the "smb.conf" file. The user name map file contains the mapping between Windows user names (including a domain prefix) and a Linux user name for determining access permissions. That is how you can tie Windows domain users to Linux users for SAMBA.
You can find out more by using "man smb.conf" and then searching for "username map". Enter a forward slash to search the man page.