Changing samba server from guest only to AD authentication
Currently my samba server is wide open, with everyone just auto connecting from their Windows machines to the samba share without entering any credentials. Is there a good guide somewhere to follow on how to convert this so it's based on an AD group or something? Also, if it is changed to AD authentication, will the credentials pass through from the Windows machines, or will users always be prompted to log on to the server?
Right now i just have a "guest account" setup in the main smb.conf section, then these settings also security = share passdb backend = tdbsam Then i have these two set in each share's config in that file guest ok = yes guest only = yes |
Chapter 24: Windbind
Though if I was going to administer samba as a domain controller, and I have, I'd read the whole manual, and I did. Saved my rear end more than once. |
Thanks. I still have two questions, the second of which I might have missed in that link.
1) So the server HAS to be joined as a member to Active Directory for this to work? 2) I still don't understand if when they map a drive to the server if it's using AD auth, if it will prompt for their password or just log them in with the credentials they used to sign on to the computer. |
Quote:
That said, the easiest way is to join the Samba servers to the domain and replicate the security tokens. Quote:
|
I was really hoping to keep the box out of the domain, but sounds like that isn't an option.
When you say "the windows users won't be aware of it" do you mean they won't actually get prompted, that the credentials will just pass through from their Windows logon to samba, so it will connect like there was no security? |
Quote:
You can also make the Samba boxes a separate domain that's considered "Trusted" by the AD domain, set up a set of non-domain credentials in the windows credential manager and and have the windows machines effectively "log in" to the alternate domain to access their samba shares. Though you will find that becomes quit the headache over time. |
OK, was just making sure I was understanding. In our current setup with guest only, basically they just go to the path for the share, and it connects, no questions asked. Trying to keep it that way, but improve security by only allowing authenticated users of our choosing to access it.
|
Take a look at this option
Quote:
|
I'll have to read up on it more, but at initial glance, that sounds like it might be closer to what I was hoping for. thanks.
|
All times are GMT -5. The time now is 06:33 AM. |