Changing samba server from guest only to AD authentication
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Changing samba server from guest only to AD authentication
Currently my samba server is wide open, with everyone just auto connecting from their Windows machines to the samba share without entering any credentials. Is there a good guide somewhere to follow on how to convert this so it's based on an AD group or something? Also, if it is changed to AD authentication, will the credentials pass through from the Windows machines, or will users always be prompted to log on to the server?
Right now i just have a "guest account" setup in the main smb.conf section, then these settings also
security = share
passdb backend = tdbsam
Then i have these two set in each share's config in that file
guest ok = yes
guest only = yes
Chapter 24: Windbind
Though if I was going to administer samba as a domain controller, and I have, I'd read the whole manual, and I did.
Saved my rear end more than once.
Thanks. I still have two questions, the second of which I might have missed in that link.
1) So the server HAS to be joined as a member to Active Directory for this to work?
2) I still don't understand if when they map a drive to the server if it's using AD auth, if it will prompt for their password or just log them in with the credentials they used to sign on to the computer.
the server HAS to be joined as a member to Active Directory for this to work?
There's a dozen ways to skin that cat. It can maintain it's own set of credentials in a trusted domain and the windows users can access with an alternate set of credentials stored in their credential managers.
That said, the easiest way is to join the Samba servers to the domain and replicate the security tokens.
Quote:
if it's using AD auth, if it will prompt for their password or just log them in with the credentials they used to sign on to the computer.
If the Samba server is on the domain, the winboxes will be prompted for credentials, however if you've set everything up correctly, the windows users wont be aware of it.
I was really hoping to keep the box out of the domain, but sounds like that isn't an option.
When you say "the windows users won't be aware of it" do you mean they won't actually get prompted, that the credentials will just pass through from their Windows logon to samba, so it will connect like there was no security?
When you say "the windows users won't be aware of it" do you mean they won't actually get prompted, that the credentials will just pass through from their Windows logon to samba,
They should.
You can also make the Samba boxes a separate domain that's considered "Trusted" by the AD domain, set up a set of non-domain credentials in the windows credential manager and and have the windows machines effectively "log in" to the alternate domain to access their samba shares. Though you will find that becomes quit the headache over time.
OK, was just making sure I was understanding. In our current setup with guest only, basically they just go to the path for the share, and it connects, no questions asked. Trying to keep it that way, but improve security by only allowing authenticated users of our choosing to access it.
Winbind/NSS uses RID based IDMAP:
The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier for a number of sites that are committed to use of MS ADS, that do not apply an ADS schema extension, and that do not have an installed an LDAP directory server just for the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the IDMAP table problem, then IDMAP_RID is an obvious choice.
This facility requires the allocation of the idmap uid and the idmap gid ranges, and within the idmap uid it is possible to allocate a subset of this range for automatic mapping of the relative identifier (RID) portion of the SID directly to the base of the UID plus the RID value. For example, if the idmap uid range is 1000-100000000 and the idmap backend = idmap_ridOMAIN_NAME=1000-50000000, and a SID is encountered that has the value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be 1000 + 1234 = 2234.
That sounds more like what you're interested in without disrupting the current domain topography.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
OMAIN_NAME=1000-50000000, and a SID is encountered that has the value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be 1000 + 1234 = 2234.
