LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Changing samba server from guest only to AD authentication (https://www.linuxquestions.org/questions/linux-server-73/changing-samba-server-from-guest-only-to-ad-authentication-4175507494/)

anon091 06-09-2014 09:24 AM
Changing samba server from guest only to AD authentication
 
Currently my samba server is wide open, with everyone just auto connecting from their Windows machines to the samba share without entering any credentials. Is there a good guide somewhere to follow on how to convert this so it's based on an AD group or something? Also, if it is changed to AD authentication, will the credentials pass through from the Windows machines, or will users always be prompted to log on to the server?

Right now i just have a "guest account" setup in the main smb.conf section, then these settings also

security = share
passdb backend = tdbsam

Then i have these two set in each share's config in that file
guest ok = yes
guest only = yes

dijetlo 06-09-2014 11:24 PM
Chapter 24: Windbind
Though if I was going to administer samba as a domain controller, and I have, I'd read the whole manual, and I did.
Saved my rear end more than once.

anon091 06-13-2014 01:44 PM
Thanks. I still have two questions, the second of which I might have missed in that link.

1) So the server HAS to be joined as a member to Active Directory for this to work?
2) I still don't understand if when they map a drive to the server if it's using AD auth, if it will prompt for their password or just log them in with the credentials they used to sign on to the computer.

dijetlo 06-13-2014 06:27 PM
Quote:
the server HAS to be joined as a member to Active Directory for this to work?
There's a dozen ways to skin that cat. It can maintain it's own set of credentials in a trusted domain and the windows users can access with an alternate set of credentials stored in their credential managers.
That said, the easiest way is to join the Samba servers to the domain and replicate the security tokens.
Quote:
if it's using AD auth, if it will prompt for their password or just log them in with the credentials they used to sign on to the computer.
If the Samba server is on the domain, the winboxes will be prompted for credentials, however if you've set everything up correctly, the windows users wont be aware of it.

anon091 06-16-2014 08:32 AM
I was really hoping to keep the box out of the domain, but sounds like that isn't an option.

When you say "the windows users won't be aware of it" do you mean they won't actually get prompted, that the credentials will just pass through from their Windows logon to samba, so it will connect like there was no security?

dijetlo 06-19-2014 01:20 AM
Quote:
When you say "the windows users won't be aware of it" do you mean they won't actually get prompted, that the credentials will just pass through from their Windows logon to samba,
They should.
You can also make the Samba boxes a separate domain that's considered "Trusted" by the AD domain, set up a set of non-domain credentials in the windows credential manager and and have the windows machines effectively "log in" to the alternate domain to access their samba shares. Though you will find that becomes quit the headache over time.

anon091 06-19-2014 08:00 AM
OK, was just making sure I was understanding. In our current setup with guest only, basically they just go to the path for the share, and it connects, no questions asked. Trying to keep it that way, but improve security by only allowing authenticated users of our choosing to access it.

dijetlo 06-19-2014 12:18 PM
Take a look at this option

Quote:
Winbind/NSS uses RID based IDMAP:
The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier for a number of sites that are committed to use of MS ADS, that do not apply an ADS schema extension, and that do not have an installed an LDAP directory server just for the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the IDMAP table problem, then IDMAP_RID is an obvious choice.

This facility requires the allocation of the idmap uid and the idmap gid ranges, and within the idmap uid it is possible to allocate a subset of this range for automatic mapping of the relative identifier (RID) portion of the SID directly to the base of the UID plus the RID value. For example, if the idmap uid range is 1000-100000000 and the idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000, and a SID is encountered that has the value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be 1000 + 1234 = 2234.
That sounds more like what you're interested in without disrupting the current domain topography.

anon091 06-20-2014 04:31 AM
I'll have to read up on it more, but at initial glance, that sounds like it might be closer to what I was hoping for. thanks.


All times are GMT -5. The time now is 06:33 AM.