Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-17-2006, 02:19 AM
|
#1
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Rep:
|
samba client atenticate against LDAP server
Hi
How to authenticate samba3 file server against ldap central server
regards
Asanka
|
|
|
07-17-2006, 03:14 AM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Check if you have samba-docs installed. It includes the book "Samba 3 by Example".
My distro installs a pdf file: /usr/share/doc/packages/samba/Samba3-ByExample.pdf
Others install a postscript file. There is also a section in the "Samba3-HOWTO.pdf", also included with samba-docs, on using ldapsam. Chapter 10.4.4
|
|
|
07-17-2006, 04:11 AM
|
#3
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Original Poster
Rep:
|
hi jschiwal
Thanks I was playing with smb.conf and ldap client authentication using redhat-config-autentication all I did was
once I got the ldap client working just add the following to smb.conf hope it is right
# Global parameters
[global]
workgroup = IIL
server string = OFFI-DOC-ONLY
security = DOMAIN
password server = ark
[%U-doc]
comment = Document share only for official use
path = /vol1/%U
read only = No
guest ok = Yes
Any way do you know how the policess works with ldap groups and users
regards
Asanka
|
|
|
07-17-2006, 08:39 AM
|
#4
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Is ark a samba pdc? There will be a lot more added in ark's smb.conf file.
Here is a link to a samba-ldap howto:
http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html
According to Chapter 10 section 4.4.6 of Samba 3 by example, Samba-3 group management is based on POSIX groups. Samba_3 dows not support nested groups. If you search for samba.schema: locate samba.schema , you can find sample LDAP files. Also, do you have smbldap-tools installed. It also contains samba/ldap documentation. However, your questions sounds more like a general samba question.
|
|
|
07-17-2006, 10:30 PM
|
#5
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Original Poster
Rep:
|
HI
Yes ark is a samba pdc and using LDAP backend and smbldap-tools to manage. This smb.conf is not in the pdc I made it on the file server which I want to authenticate against the pdc.
With this smb.conf it is working ok but I dont know and dont know how to test the authentication part.
When I login in to the pdc from a windows machine (I exist only on pdc) it shows me my share and I can do any thing to that directory. Do you think with this configuration any body can access (is there a security issue). The folders are having only user rwx permissions
Regards
Asanka
|
|
|
07-18-2006, 02:44 AM
|
#6
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Code:
[%U-doc]
comment = Document share only for official use
path = /vol1/%U
read only = No
guest ok = Yes
I don't think the guest ok = Yes is correct.
Look in your samba configuration useradd scripts. When a new user is added, I think that the samba useradd script should include a line like:
useradd -s /bin/false %U 2>/dev/null
Also check that each "username-doc" directory is created with 0700 permissions.
However, you are configuring a Domain Member Server as it it were a Domain Member Workstation client. I would recommend that you study Chapter 7 of the Samba3-ByExample.pdf document.
|
|
|
07-19-2006, 12:06 AM
|
#7
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Original Poster
Rep:
|
You are right its working
Thanks
Best regards
Asanka
By the way do you know whether we can migrate win 2003 AD to samba 3 ldap
|
|
|
07-19-2006, 03:00 AM
|
#8
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Code:
security = DOMAIN
password server = ark
A dumb question. Isn't "password server =" an option used with "security = SERVER"?
I think it would be better if you used one of the ldap servers instead and base the configuration on the Domain Member Server examples in the Samba 3 by Example book. If you google for "IBM Redbook samba ldap" you may also come up with a couple excellent IBM Red Book on Samba and/or LDAP.
|
|
|
07-19-2006, 03:10 AM
|
#9
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Original Poster
Rep:
|
yes ARK is a ldap/Samba domain controler.
and is working as a member server
thanks
Regards
Asanka
|
|
|
07-19-2006, 03:20 AM
|
#10
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
The example I was referring to was for a Samba Member Server that used a different LDAP server for authentication. It was the main server for one of several sites. I think it was in the 500 host network example.
I was going to edit my last post, because I forgot to say that I'm glad that you got it working.
If you have a computer that is going to be replaced at you company ( such as an old Pentium III desktop ), you might want to use it as an experimental box and try different samba configurations, working on the examples.
Take Care!
|
|
|
07-19-2006, 03:45 AM
|
#11
|
Member
Registered: Jan 2006
Location: Sri Lanka
Posts: 651
Original Poster
Rep:
|
You to
Thanks for all your help
best regards
Asanka
|
|
|
All times are GMT -5. The time now is 04:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|