Results 1 to 6 of 6

Thread: Authenticating off a PDC w/ samba

  1. #1

    Authenticating off a PDC w/ samba

    At school we are currently working on a website as our project. At the end we will most likely have to upload it to a free webhost. But in the server room is an old server (Not working) and I believe it has some nice SCSI drives in it (I wanna play with them!)

    Now I may suggest that instead we set up Apache and maybe PHP (Although no-one would use it except me, it doesn't really take up that much room) I would like to use samba so that they can easily move their sites to their folder on the web server (That I will set up) share. How can I get samba to authenticate the user off the PDC when they try to access their share (They will input their password when they try to access it)

    I've done a *very* quick search of google but I haven't found anything (I am terribly busy atm)


  2. #2

    Re:Authenticating off a PDC w/ samba

    Hey doing some looking, i found a link to the samba cookbook
    Here is an excerpt on Server level shares and authentication:
    6.3.3 Server-level Security
    Server-level security is similar to user-level security. However, with server-level security, Samba delegates password authentication to another SMB password server, typically another Samba server or a Windows NT Server acting as a PDC on the network. Note that Samba still maintains its list of shares and their configuration in its smb.conf file. When a client attempts to make a connection to a particular share, Samba validates that the user is indeed authorized to connect to the share. Samba will then attempt to validate the password by contacting the SMB password server through a known protocol and presenting the username and password to the SMB password server. If the password is accepted, a session will be established with the client. See Figure 6.2 for an illustration of this setup. 
    Figure 6.2: A typical system setup using server level security
    You can configure Samba to use a separate password server under server-level security with the use of the password server global configuration option, as follows:
    security = server
    password server = PHOENIX120 HYDRA134
    Note that you can specify more than one machine as the target of the password server; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the password server option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail - Samba will not attempt another server.
    One caveat: when using this option, you will still need an account representing that user on the regular Samba server. This is because the Unix operating system needs a username to perform various I/O operations. The preferable method of handling this is to give the user an account on the Samba server but disable the account's password by replacing it in the system password file (e.g., /etc/passwd ) with an asterisk (*).

  3. #3

    Re:Authenticating off a PDC w/ samba

    Here is some more
    6.3.4 Domain-level Security
    Domain-level security is similar to server-level security. However, with domainlevel security, the Samba server is acting as a member of a Windows domain. Recall from Chapter 1 that each domain has a domain controller, which is usually a Windows NT server offering password authentication. Including these controllers provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own security authentication module (SAM), and authenticates each user when he or she first logs on and wishes to access another machine's shares.
    As mentioned earlier in this chapter, Samba has a similar ability to offer user-level security, but this option is Unix-centric and assumes that the authentication occurs via Unix password files. If the Unix machine is part of a NIS or NIS+ domain, Samba will authenticate the users transparently against a shared password file, in typical Unix fashion. Samba then provides access to the NIS or NIS+ domain from Windows. There is, of course, no relationship between the NIS concept of a domain and the Windows concept of a domain.
    With domain-level security, we now have the option of using the native NT mechanism. This has a number of advantages:
    It provides far better integration with NT: there are fewer "kludges" in the smb.conf options dealing with domains than with most Windows features. This allows more extensive use of NT management tools, such as the User Manager for Domains tool allowing PC support individuals to treat Samba servers as if they were large NT machines.
    With the better integration comes protocol and code cleanups, allowing the Samba team to track the evolving NT implementation. NT Service Pack 4 corrects several problems in the protocol, and Samba's better integration makes it easier to track and adapt to these changes.
    There is less overhead on the PDC because there is one less permanent network connection between it and the Samba server. Unlike the protocol used by the security = server option, the Samba server can make a Remote Procedure Call (RPC) call only when it needs authentication information. It can not keep a connection permanently up just for that.
    Finally, the NT domain authentication scheme returns the full set of user attributes, not just success or failure. The attributes include a longer, more network-oriented version of the Unix uid, NT groups, and other information. This includes:
    Full name
    Security identifier (a domain-wide extension of the Unix uid)
    NT group memberships
    Logon hours, and whether to force the user to log out immediately
    Workstations the user is allowed to use
    Account expiration date
    Home directory
    Login script
    Account type
    The Samba developers used domain-level security in Samba version 2.0.4 to add and delete domain users on Samba servers semi-automatically. In addition, it adds room for other NT-like additions, such as supporting access control lists and changing permissions of files from the client.
    The advantage to this approach is less administration; there is only one authentication database to keep synchronized. The only local administration required on the Samba server will be creating directories for users to work in and /etc/passwd entries to keep their UIDs and groups in.

  4. #4

    Re:Authenticating off a PDC w/ samba

    Thinking about it now, I will still need to add the users to the machine so that no-one else can write to their home directory. But I will need to put a password on their account right? Is there some way I can do that without getting them to individually type in their password into the server?

    Also, will I need to add them into smbpasswd?


  5. #5
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Milwaukee, WI

    Re:Authenticating off a PDC w/ samba

    Samba can read off of a windows box the login and password for accessing the shares. That way they dont ahve to type it it each time they access.

    But yes, the Samba server will require accts and smbpasswd settings. I would reccomend using WebMin for automating that. That way you dont have to do a "smbpasswd -a username" each time you add a user.

    BTW what is your network setup? Are we mixing linux and winderz? What exactly is the PDC? Samba? Winderz? An NIS server?

  6. #6

    Re:Authenticating off a PDC w/ samba

    The PDC is a Win2k machine. I should be able to add the users to smbpasswd pretty easily though (something like 'for i in *; do....etc')

    The only annoying thing is that I won't have the users passwords to put in their user account on the web server (samba machine).

Similar Threads

  1. Replies: 2
    Last Post: 06-13-2007, 04:49 PM
  2. Samba Help!
    By GroundZero3 in forum Linux - Hardware, Networking & Security
    Replies: 7
    Last Post: 04-09-2003, 03:48 PM
  3. samba anyone know how?
    By sujoki in forum Linux - General Topics
    Replies: 5
    Last Post: 10-09-2002, 06:03 AM
  4. SAMBA
    By Feztaa in forum Linux - Hardware, Networking & Security
    Replies: 6
    Last Post: 03-02-2002, 03:10 PM
  5. samba
    By agar in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 12-06-2001, 02:32 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts