LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-27-2004, 04:06 PM   #1
nlong1
LQ Newbie
 
Registered: May 2004
Posts: 5

Rep: Reputation: 0
Question security = domain option in smb.conf requires the user have an account on linux


Good afternoon, have spent my first week on linux so clearly this question comes from a newbie. Have been given the task of configuring samba on redhat version 3.0. My goal is setup up security for samba in such a way that the users can map a drive to the linux box without having a account on the linux box. Here is my smb.conf file:


workgroup = WVUS
netbios name = PORTAL2
server string = Samba Server %v
encrypt passwords = Yes
log file = /var/opt/samba/log.%m
security = domain
password server = samuel
max log size = 1000
log level =3
socket options = TCP_NODELAY

My understanding setting the security to server would free us from creating local linux users, users that whose only purpose would be to represent the users signed on the domain. When a user who does not have linux account but has NT2000 domain tries to map a existing samba share to linux box the following error messages displayed:


[2004/05/25 17:12:52, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [WVUS]\[rthompso]@[8
GSCC11] with the new password interface
[2004/05/25 17:12:52, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [WVUS]\[rthompso]@[8GSCC11]
[2004/05/25 17:12:52, 3] smbd/sec_ctx.cush_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/05/25 17:12:52, 3] smbd/uid.cush_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/05/25 17:12:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/05/25 17:12:52, 3] smbd/sec_ctx.cop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/25 17:12:52, 3] libsmb/namequery_dc.c:rpc_dc_name(143)
rpc_dc_name: Returning DC SAMUEL (89.0.0.53) for domain WVUS
[2004/05/25 17:12:52, 3] libsmb/cliconnect.c:cli_start_connection(1337)
Connecting to host=SAMUEL
[2004/05/25 17:12:52, 3] lib/util_sock.cpen_socket_out(710)
Connecting to 89.0.0.53 at port 445
[2004/05/25 17:12:52, 3] auth/auth_util.c:make_server_info_info3(1092)

[2004/05/25 17:12:52, 3] auth/auth_util.c:make_server_info_info3(1092)
User rthompso does not exist, trying to add it
[2004/05/25 17:12:52, 0] auth/auth_util.c:make_server_info_info3(1100)
make_server_info_info3: pdb_init_sam failed!
[2004/05/25 17:12:52, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [rthompso] -> [rthompso] FAILED
with error NT_STATUS_NO_SUCH_USER


So if anyone has any suggestions please let me know, again the goal is to not have to add users the linux box in order for a user to access a samba share.


Thankyou in advance for your input.
 
Old 05-27-2004, 11:44 PM   #2
Vlad-A
Member
 
Registered: May 2004
Location: Vienna, Austria
Distribution: Open SuSE 11, Mac OS X 10.5
Posts: 299

Rep: Reputation: 33
My understanding is that *neither* security=server *nor* security=domain will free you up of having local UNIX account for your users !!!
The only thing not done anymore is looking for the user account in smbpasswd.

When a client attempts to contact your samba server PORTAL2 then PORTAL2 contacts samuel (your PDC). If the authentication succeeds
then PORTAL2 looks for a *local UNIX account* that can be mapped to the client.

If this fails then you *can't access* the resources/shares from PORTAL2.

Nevertheless, there is a way with SAMBA to create *on demand* local user accounts if they are not present.

Add in the [global] section of smb.conf

adduser script = /usr/bin/useradd -m %u

This will free you up from maintaining and keeping in sync the local (UNIX) user database and the Windows PDC database.

So how now authentication will work:

Client attempts to contact PORTAL2. PORTAL2 contacts PDC samuel . If the authentication succeeds
then PORTAL2 looks for a *local UNIX account* that can be mapped to the client. If there is no
local account that can match the client adduser script is invoked by samba (*as root* !!!).
If the script executes successfully samba will continue as if the user was already present.
 
Old 05-28-2004, 11:17 AM   #3
nlong1
LQ Newbie
 
Registered: May 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Vlad-a

Thankyou very much for your reply. IS there a rewards for a reply on this web site.
 
Old 05-28-2004, 11:33 AM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 49
The affero button below his post allows you to donate $ to a charity in his name.

Peace,
JimBass
 
Old 05-28-2004, 11:37 AM   #5
nlong1
LQ Newbie
 
Registered: May 2004
Posts: 5

Original Poster
Rep: Reputation: 0
thankyou
 
Old 05-28-2004, 11:42 AM   #6
nlong1
LQ Newbie
 
Registered: May 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Hi Valid,

Did try your suggestion, it did not work. It looked like a good idea.

Norm
 
Old 05-28-2004, 02:32 PM   #7
Vlad-A
Member
 
Registered: May 2004
Location: Vienna, Austria
Distribution: Open SuSE 11, Mac OS X 10.5
Posts: 299

Rep: Reputation: 33
Hi nlong1,

what did not work ??

did you restart smbd and nmbd button after adding the line in smb.conf ?

Do you have a Win NT domain or Win 2000 active directory ?

Were user added menas were there additional Linux user added ?

Can user alraedy having Linux accounts log in and access shares ?

Do you have a Wins server ?

We'll not give up 'till it works :-)))

P.S.:

IMPORTANT:

the useradd command is located at different locations depending on the distro

it can be in /usr/bin so (adduser script = /usr/bin/useradd -m %u)

and on others can be in /usr/sbin so (adduser script = /etc/sbin/useradd -m %u)

So pls check the location (path) of useradd on your distro

with:
which useradd
(when logged in as root)

smb.conf expects the *full* path to useradd and the path has to be the right one.

Last edited by Vlad-A; 05-28-2004 at 04:00 PM.
 
Old 05-28-2004, 02:41 PM   #8
Vlad-A
Member
 
Registered: May 2004
Location: Vienna, Austria
Distribution: Open SuSE 11, Mac OS X 10.5
Posts: 299

Rep: Reputation: 33
IMPORTANT:

the useradd command is located at different locations depending on the Linux distro

it can be in /usr/bin (adduser script = /usr/bin/useradd -m %u)

and on others can be in /etc/sbin (adduser script = /etc/sbin/useradd -m %u)


so pls check the location (path) of useradd in your Linux distro

with
which useradd
(when logged in as root)

smb.conf expects the *full* path to useradd and the path has to be the right one.

Last edited by Vlad-A; 05-28-2004 at 04:01 PM.
 
Old 06-04-2004, 02:11 PM   #9
kgramm
LQ Newbie
 
Registered: Jun 2004
Distribution: SuSE Linux 9.1
Posts: 1

Rep: Reputation: Disabled
As a different option, you could download the MS Windows Services for UNIX (which is now free), load the NIS server part onto your DCs, and then make the Linux box a NIS client. That way, all of your user administration is done at one location.


Ken
 
Old 07-19-2004, 04:28 PM   #10
tbeehler
Member
 
Registered: Aug 2003
Location: Washington State, USA
Distribution: Mainly RH 9.0
Posts: 227

Rep: Reputation: 30
I had a similar problem and fixed it by changing it from security=domain to security=user and having the add machine script line in my smb.conf. Hope that helps you out!!

Travis Beehler
 
Old 12-08-2004, 01:02 PM   #11
fritzhardy
LQ Newbie
 
Registered: Dec 2004
Posts: 1

Rep: Reputation: 0
There is a way to meet your goal of not adding local accounts on your Samba server, and depending how complex your file/print sharing needs are, it can be quite easy. You have two options: username mapping, or winbind (This answer pertains to Samba 3.0.9)

First, username mapping. This will probably work fine in a less complex setup. For instance, I have a print server where everyone just needs to be able to print, and a handful of people actually need write access to shares. Here is an example username map:

# Unix_name = SMB_name1 SMB_name2 ...
!me = DOMAIN\me
nobody = *

DOMAIN is whatever your domain is. All connections are checked against this map. If it matches DOMAIN\me, it gets mapped to the local account "me" (the exclamation mark indicates stop processing if match found). Everything else gets mapped to nobody. This is great for read only shares which permit guest access (such as printing). NOTE: Make sure "map to guest = never" is set. Read the docs.

Second, winbind. This allows your Samba box to "see" accounts on the DC as local accounts. Check out the Winbind HowTo and the chapter on winbind in the Official Samba HowTo for more info. With this setup working using NSS, you can then grant users access to shares in smb.conf, and chown, chgrp, etc. based on their domain username and/or domain group. For instance DOMAIN\Print Admins.

Good luck.

Last edited by fritzhardy; 12-08-2004 at 01:37 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SMB: More then one Windows user/ smb account? 1veedo Linux - Networking 2 03-15-2005 04:16 PM
Mount SMB Share from user account jeopardyracing Linux - Newbie 3 12-03-2004 05:04 PM
Security kernel option: Default Linux Capabilities orgee Linux - Security 1 10-10-2004 07:55 AM
linux as a member of NT domain+smb.conf pc_copat Linux - Networking 4 07-30-2004 08:33 AM
Samba(smb.conf(security = domain)) josh0126 Linux - Networking 0 02-14-2001 02:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration