LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   security = domain option in smb.conf requires the user have an account on linux (https://www.linuxquestions.org/questions/linux-newbie-8/security-%3D-domain-option-in-smb-conf-requires-the-user-have-an-account-on-linux-186644/)

nlong1 05-27-2004 04:06 PM
security = domain option in smb.conf requires the user have an account on linux
 
Good afternoon, have spent my first week on linux so clearly this question comes from a newbie. Have been given the task of configuring samba on redhat version 3.0. My goal is setup up security for samba in such a way that the users can map a drive to the linux box without having a account on the linux box. Here is my smb.conf file:


workgroup = WVUS
netbios name = PORTAL2
server string = Samba Server %v
encrypt passwords = Yes
log file = /var/opt/samba/log.%m
security = domain
password server = samuel
max log size = 1000
log level =3
socket options = TCP_NODELAY

My understanding setting the security to server would free us from creating local linux users, users that whose only purpose would be to represent the users signed on the domain. When a user who does not have linux account but has NT2000 domain tries to map a existing samba share to linux box the following error messages displayed:


[2004/05/25 17:12:52, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [WVUS]\[rthompso]@[8
GSCC11] with the new password interface
[2004/05/25 17:12:52, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [WVUS]\[rthompso]@[8GSCC11]
[2004/05/25 17:12:52, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/05/25 17:12:52, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/05/25 17:12:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/05/25 17:12:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/25 17:12:52, 3] libsmb/namequery_dc.c:rpc_dc_name(143)
rpc_dc_name: Returning DC SAMUEL (89.0.0.53) for domain WVUS
[2004/05/25 17:12:52, 3] libsmb/cliconnect.c:cli_start_connection(1337)
Connecting to host=SAMUEL
[2004/05/25 17:12:52, 3] lib/util_sock.c:open_socket_out(710)
Connecting to 89.0.0.53 at port 445
[2004/05/25 17:12:52, 3] auth/auth_util.c:make_server_info_info3(1092)

[2004/05/25 17:12:52, 3] auth/auth_util.c:make_server_info_info3(1092)
User rthompso does not exist, trying to add it
[2004/05/25 17:12:52, 0] auth/auth_util.c:make_server_info_info3(1100)
make_server_info_info3: pdb_init_sam failed!
[2004/05/25 17:12:52, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [rthompso] -> [rthompso] FAILED
with error NT_STATUS_NO_SUCH_USER


So if anyone has any suggestions please let me know, again the goal is to not have to add users the linux box in order for a user to access a samba share.


Thankyou in advance for your input.

Vlad-A 05-27-2004 11:44 PM
My understanding is that *neither* security=server *nor* security=domain will free you up of having local UNIX account for your users !!!
The only thing not done anymore is looking for the user account in smbpasswd.

When a client attempts to contact your samba server PORTAL2 then PORTAL2 contacts samuel (your PDC). If the authentication succeeds
then PORTAL2 looks for a *local UNIX account* that can be mapped to the client.

If this fails then you *can't access* the resources/shares from PORTAL2.

Nevertheless, there is a way with SAMBA to create *on demand* local user accounts if they are not present.

Add in the [global] section of smb.conf

adduser script = /usr/bin/useradd -m %u

This will free you up from maintaining and keeping in sync the local (UNIX) user database and the Windows PDC database.

So how now authentication will work:

Client attempts to contact PORTAL2. PORTAL2 contacts PDC samuel . If the authentication succeeds
then PORTAL2 looks for a *local UNIX account* that can be mapped to the client. If there is no
local account that can match the client adduser script is invoked by samba (*as root* !!!).
If the script executes successfully samba will continue as if the user was already present.

nlong1 05-28-2004 11:17 AM
Vlad-a

Thankyou very much for your reply. IS there a rewards for a reply on this web site.

JimBass 05-28-2004 11:33 AM
The affero button below his post allows you to donate $ to a charity in his name.

Peace,
JimBass

nlong1 05-28-2004 11:37 AM
thankyou

nlong1 05-28-2004 11:42 AM
Hi Valid,

Did try your suggestion, it did not work. It looked like a good idea.

Norm

Vlad-A 05-28-2004 02:32 PM
Hi nlong1,

what did not work ??

did you restart smbd and nmbd button after adding the line in smb.conf ?

Do you have a Win NT domain or Win 2000 active directory ?

Were user added menas were there additional Linux user added ?

Can user alraedy having Linux accounts log in and access shares ?

Do you have a Wins server ?

We'll not give up 'till it works :-)))

P.S.:

IMPORTANT:

the useradd command is located at different locations depending on the distro

it can be in /usr/bin so (adduser script = /usr/bin/useradd -m %u)

and on others can be in /usr/sbin so (adduser script = /etc/sbin/useradd -m %u)

So pls check the location (path) of useradd on your distro

with:
which useradd
(when logged in as root)

smb.conf expects the *full* path to useradd and the path has to be the right one.

Vlad-A 05-28-2004 02:41 PM
IMPORTANT:

the useradd command is located at different locations depending on the Linux distro

it can be in /usr/bin (adduser script = /usr/bin/useradd -m %u)

and on others can be in /etc/sbin (adduser script = /etc/sbin/useradd -m %u)


so pls check the location (path) of useradd in your Linux distro

with
which useradd
(when logged in as root)

smb.conf expects the *full* path to useradd and the path has to be the right one.

kgramm 06-04-2004 02:11 PM
As a different option, you could download the MS Windows Services for UNIX (which is now free), load the NIS server part onto your DCs, and then make the Linux box a NIS client. That way, all of your user administration is done at one location.


Ken

tbeehler 07-19-2004 04:28 PM
I had a similar problem and fixed it by changing it from security=domain to security=user and having the add machine script line in my smb.conf. Hope that helps you out!!

Travis Beehler

fritzhardy 12-08-2004 01:02 PM
There is a way to meet your goal of not adding local accounts on your Samba server, and depending how complex your file/print sharing needs are, it can be quite easy. You have two options: username mapping, or winbind (This answer pertains to Samba 3.0.9)

First, username mapping. This will probably work fine in a less complex setup. For instance, I have a print server where everyone just needs to be able to print, and a handful of people actually need write access to shares. Here is an example username map:

# Unix_name = SMB_name1 SMB_name2 ...
!me = DOMAIN\me
nobody = *

DOMAIN is whatever your domain is. All connections are checked against this map. If it matches DOMAIN\me, it gets mapped to the local account "me" (the exclamation mark indicates stop processing if match found). Everything else gets mapped to nobody. This is great for read only shares which permit guest access (such as printing). NOTE: Make sure "map to guest = never" is set. Read the docs.

Second, winbind. This allows your Samba box to "see" accounts on the DC as local accounts. Check out the Winbind HowTo and the chapter on winbind in the Official Samba HowTo for more info. With this setup working using NSS, you can then grant users access to shares in smb.conf, and chown, chgrp, etc. based on their domain username and/or domain group. For instance DOMAIN\Print Admins.

Good luck.


All times are GMT -5. The time now is 04:08 PM.