Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-07-2003, 02:23 PM   #1
Registered: Sep 2003
Distribution: RH9
Posts: 37

Rep: Reputation: 15
Samba with Domain User accounts

I am trying to find an option to M$ file server under Linux. Everything to this point is M$. Whether anybody goes for it or not, I would like to put the option out there for choice. One of the important necessities is that this doesn't become any more complicated for the EU. As soon as you say Linux to the bosses they think more complex for the user and the users have trouble enough logging in to there computers. I am a Linux newbie trying to become more efficient. At present, I am using RH9, Samba 3, and have security = Domain and have joined the domain successfully. I have a user joe created on the Linux/Samba server and when user joe logs onto his Win2k computer on the NT domain he can access the Samba share I have configured like this:

path = /test
public = no
writable = yes
printable = no
valid users = joe jon art
create mask = 0765

Unless users "joe, jon, and art" are created on the Linux box, the user gets prompted for network authentication:

Connect As:

I don't want anybody to have to do this, since they do not have to do this now (all windoze 2k & NT). There are a lot of users and equally a lot of passwords on the domain and it isn't very efficient to add every user to the Linux box. Is there a way to get around this. Have the Linux server communicate with the PDC since it is a member of the domain?

If that is even possible, can I then give joe read only, jon & art read & write, and deny everybody else access to the "test dir."

Thanks for any help.
Old 11-07-2003, 02:29 PM   #2
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 67
Try setting the "password server" option. see:
man smb.conf
Old 11-07-2003, 03:19 PM   #3
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
I set "password server = *" and I still get promted for authentication. I enter a vaild domain user account but not one that I have added to the Linux box and it will not take it. I also tried using
"password server = x.x.x.x" where x.x.x.x was PDC and BDC and had the same results.

I have also set the following:
unix password sync = Yes

passwd program = /usr/bin/passwd %u
Old 11-08-2003, 12:05 AM   #4
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Rep: Reputation: 30

Do you have security set to domain in smb.conf? After I did that and set password server to *, I am able to use any domain user logon to view shares. You shouldn't have to create any samba user accounts. Hope this helps. I am running samba to connect to a win2k domain so if you want to check out my smb.conf file let me know.
Old 11-08-2003, 10:42 PM   #5
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
Yes, I do have "security = Domain". If it isn't a problem, I would like to see your smb.conf.

Also, do I need Windbind? I have never used it and someone told me I needed it to this. I am currently trying to find more info on Winbind now.
Old 11-08-2003, 11:09 PM   #6
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Rep: Reputation: 30
Here is what my smb.conf file looks like, at least the global settings:
#======================= Global Settings =====================================

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = netp

security = domain

# server string is the equivalent of the NT Description field
server string = Linux Samba Server

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
printing = cups

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
max log size = 0

# Security mode. Most people will want user level security. See
# security_level.txt for details.

# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
password server = *

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following is needed to keep smbclient from spouting spurious errors
# when Samba is built with support for SSL.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# You can use PAM's password change control flag for Samba. If
# enabled, then PAM will be used for password changes when requested
# by an SMB client instead of the program listed in passwd program.
# It should be possible to enable this without changing your passwd
# chat parameter for most setups.

pam password change = yes

# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes

obey pam restrictions = yes

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces =

# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync =
# Cause this host to announce itself to local subnets here
; remote announce =

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server =

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
username map = /etc/samba/smbusers
dns proxy = yes
Old 11-11-2003, 11:42 AM   #7
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
Thank you for the post. I went over carefully but I am confused about what is happening now.

Lets say I have 2 users I am testing with, joe & bob. I create an account for joe on my Linux/Samba box but not bob. The password I set up for joe does not coincide with the domain password set for this user. I create a share on Samba and allow access to both users, joe and bob. The computer I am logged into is logged under a different name so I get username & pass authentication. I enter joe username with the domain password (not the local pass on Linux) and gains access. I try the same with bob and denied access. As soon as I create a standard Linux account for bob, regardless of the password, bob gains access.

It has to be getting the password from the domain controller but not allowing access unless the user has an account. Not a Samba account but a standard Linux account.

I also read on Samba How-to "Use of this mode (Domain) of authentication does require there to be a standard UNIX account for each user in order to assign a UID once the account has been authenticated by the remote Windows DC. "

Am I missing something or is it behaving properly. By what the Samba How-to states, If I have 100 domain users, I have to create 100 standard Linux accounts.

It also states," An alternative to assigning UIDs to Windows users on a Samba member server is presented in .

For more information regarding Domain Membership, see .

"Presented in" what & "see" what?

Old 11-11-2003, 01:54 PM   #8
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
I got this working now. This is what my Global looks like:


# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = my_domain
security = domain
encrypt passwords = yes
guest ok = yes
dns proxy = no
netbios name = Samba
password server = *
server string = File Server

winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash

I also followed the "man windbind" and did this:

In /etc/nsswitch.conf put the following:

passwd: files winbind
group: files winbind

In /etc/pam.d/* replace the auth lines with something like this:

auth required /lib/security/
auth required /lib/security/
auth sufficient /lib/security/
auth required /lib/security/ use_first_pass shadow nullok

Note in particular the use of the sufficient keyword and the
use_first_pass keyword.

Now replace the account lines with this:

account required /lib/security/

The next step is to join the domain.

Next, it said to:

copy to/lib and to /lib/secu-
rity. A symbolic link needs to be made from /lib/

but there was already a in /lib and a symbolic link to /lib/ and it didn't say "REPLACE" it said put so I didn't follow that part.

Then next I did:

getent passwd (then)
getent group

and all is working well.

Now, I just need to figure out how give access to Windoze users/groups with different w&r priviledges to different users/groups.

Old 11-11-2003, 02:07 PM   #9
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
Sorry, I didn't specify what I added. I didn't have any of the winbind entries. This is what I actuallu added:

winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash

Also, the winbind daemon wasn't running either so I started that as well.
Old 11-11-2003, 11:09 PM   #10
LQ Newbie
Registered: Nov 2003
Posts: 2

Rep: Reputation: 0
Bad news - you *MUST* have a linux account for a user to access a linux box. Just because samba pretends that the linux box is a windows share doesn't change linux rules.

Good news - the accounts can have shell = nothing, home directory = nowhere so that the only space the accounts take up is an entry in the /etc/passwd and shadow password files.

So look in the documentation for how to set up placeholder accounts for your distribution (for instance I know that RedHat needs the -n parameter to Not create home directories).

Basic samba documentation say -
create linux user
create linux password
create samba password
create samba share (done automatically for each user if a [home] section is configured).

Old 11-12-2003, 12:33 PM   #11
Registered: Sep 2003
Distribution: RH9
Posts: 37

Original Poster
Rep: Reputation: 15
Thanks for the feedback "bruceg", but I have got this working "without" creating standard linux user accounts or samba accounts. The Samba server is a domain member that is getting user and pass info through winbind.

What I am trying to do now is to configure access for NT groups.
Old 11-12-2003, 05:01 PM   #12
LQ Newbie
Registered: Jul 2003
Location: Lansing
Distribution: Redhat 8.0, 9, Debian 2.2
Posts: 8

Rep: Reputation: 0
active directory

You can also try using kerberos and winbind to integrate windows users and group on linux. IE you can have a person with a windows account access autheticated shares on a linux server without creating a username on the linux box itself. I am doing this at work and it was pretty slick.

try this out

Old 11-15-2003, 07:35 AM   #13
Registered: Nov 2002
Posts: 73

Rep: Reputation: 15
In skimming this thread, I think I see some confusion in roles. You start off talking about an alternative to MS as a file server. You end up doing windbind. That's not the same thing. Windbind essentially turns a linux box into a Windows workstation, not a file server. Users can sit down at a linux box, and log into it with their NT domain account. All "file services" (such as a home directory) will be running locally on the linux box; just having winbind working doesn't turn the box into a file server for a windows network.

As an example of the latter -- a linux box running as a file server for a windows network -- I am using a linux box to serve up home directories and roaming profiles for an NT domain. Windbind is not configured in my smb.conf. Basically, all this requires as far as samba is concerned is security=domain and the requisite pointers to the password server. But it does require linux accounts (not samba accounts) corresponding to the NT domain accounts that will be accessing the linux server. Creating the linux accounts simultaneously creates the home directories. The linux passwords on these accounts need not be the same as the users' NT domain account passwords, and shouldn't be if you want to prevent users from accessing what is really a server they shouldn't have access to anyway.

If you are happy with what you ended up with using windbind, then it doesn't seem you really wanted a file server to begin with. You wanted a linux desktop that would authenticate against an NT domain.

To recap, we're talking about two different scenarios:

1. Linux workstation using windbind to validate logins against a Windows NT/2K domain controller (or possibly a Samba PDC).

2. Windows workstations accessing a Linux server for home directories and roaming profiles.

See the difference?
Old 11-20-2003, 09:49 AM   #14
LQ Newbie
Registered: Dec 2001
Posts: 14

Rep: Reputation: 0
What he wants is linux to be a part of the Windows Active Directory Domain in exactly the same way that the Windows boxes are.

Every windows system is both a server and a workstation. Being a part of the AD means there is a central location for user accounts and groups so that you SHOULDN'T have to create user accounts on the individual systems.

Even if he wanted to make a Linux box a Windows server, he would still want be a part of his existing Domain and authenticate by it. Once it's all set up he should be able to log in to the system based on the windows domain login and from that point be authenticated on the network. Not where everytime you want to connect to a network resource you have to put in your login info. Also, he wants to be able set permissions on the shares on the Linux box in exactly the same manner as he would on any other system in the domain.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
samba accounts/ unix accounts Buzz88 Linux - Newbie 3 09-25-2005 08:16 AM
winbind + samba + gdm unable to login with Domain user theowl Linux - Networking 1 06-11-2004 08:30 AM
Samba 2.2.8a: How to migrate user profiles from a Broken domain to a new one ferrantepunto Linux - Software 0 06-11-2004 04:13 AM
New user e-mail accounts in domain. sarathmohan Linux - Newbie 2 10-17-2003 12:38 AM
Samba user accounts broxys Linux - Networking 1 08-16-2003 04:51 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:41 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration