All Things Microsoft > Microsoft as a Company
Surpride Settlement Splits Microsoft
voidmain:
quote:Originally posted by IanC:
It does get a little laborious maintaining a copy of your NT user list on the Samba server as well as the Domain, but the release notes for 2.2.3a assure us that will be sorted very soon... :)
--- End quote ---
IanC, I did a little Samba work today and I no longer have to maintain two userid lists. "winbind" is pretty freakin' cool! I downloaded/built/installed 2.2.3a as you suggested. I turned on encryption and made my Samba server a member of my NT domain and set "security = DOMAIN". Fired up winbind and samba and now I can use NT userids and groups not only within the samba configuration but at the *NIX level. I can make local files/directories owned my NT userIDs and set group permissions to NT groups.
In addition to that a little playing with /etc/nsswitch.conf, /etc/pam.d/login and /etc/pam.d/ssh now allows me to log in to my Linux box with an NT domain ID and password. Without having to create a local account or having to manually update any list, winbind does it all. It's very much like NIS but it let's NT play along. I can also ssh/telnet to the box using an NT ID/password. Looks like we'll be replacing those NT fileservers VERY soon at that company I mentioned!
iancom:
Yeah, I had just discovered winbind last night and was playing with it on a test server... it was about 1 o'clock so I didn't do quite well enough to get everything working absolutely right but I reckon I'll have it sorted later today!
It does look like exactly the sort of thing Samba needs.. that way after it's all set up correctly all permissions etc can be dealt with by NT group membership and User manager and even admin types might never realise they're not dealing with an NT server!
Excellent, Smithers.
voidmain:
I only had one issue that required changing some code. I wouldn't have found the issue because I usually edit the smb.conf file in my favorite text editor (vim) but I was talking a partner though viewing a share with swat and found a bug in swat.
First the only way I could find to use the NT domain groups in the smb.conf file (found absolutely no examples anywhere) was this format:
valid users = @"MYDOMAIN+Domain Admins"
The domain MYDOMAIN has the "Domain Admins" group that I wanted to grant access to a share so you use the "@" just like with UNIX groups and the group name. With winbind the group name shows up in the form of "DOMAIN+Group". And because a lot of NT domains contain a "space" in their name they need to be quoted. The only way of quoting that I found that would work is in my "valid users" example above.
Now, "swat" doesn't expect any quote marks in the string of groups and when I view the properties of that share in swat I get just an "@" and nothing else. I realized that was because in the HTML the tag looked like:
value="@"MYDOMAIN+Domain Admins""
So you can see why only the "@" was displayed. I then started looking over the source for swat (it's a C program) and found where it spit out those types of form elements (only two places need a simple change). Now the HTML that it spits out looks like:
value='"@"MYDOMAIN+Domain Admins"'
I just replaced the double quotes in the value tag with single quotes, recompiled, and it works like a champ. And no you can't use single quotes in the group name, tried that first and it doesn't work. I wouldn't have had to change the swat code if it did work.
At any rate, it seems to be working perfectly. Will be doing more heavy duty testing tomorrow probably.
iancom:
...excellent work, thanks for the tips. I really must learn C properly at some point so that I would stand a chance of being able to debug source code like that!
One of my first actions when I started working here was, as part of my push to secure the NT network as far as is possible, to remove or rename all of the predefined NT groups and usernames in the domain. And of course their replacements and any further groups that have since been added do not have any spaces in them. It Just Seems Wrong.
So maybe I'll be okay...
Cheers
voidmain:
quote:Originally posted by IanC:
One of my first actions when I started working here was, as part of my push to secure the NT network as far as is possible, to remove or rename all of the predefined NT groups and usernames in the domain. And of course their replacements and any further groups that have since been added do not have any spaces in them. It Just Seems Wrong.
--- End quote ---
Good idea... on a side note, I got ACLs working today on Linux local filesystems and within Samba. Now if you access the Samba shares from an NT/2k client you can change the permissions on files and directories just like you can on an NT server. You can't really tell you are connected to something *other* than an NT server. You can add NT Domain groups or users to the ACLs and set any of the attributes that you can do on an NT server.
I had to grab the kernel source and apply the ACL patches first, and rebuild Samba with ACL support (and add a couple of other minor things). I used to use ACLs on AIX years ago, it's pretty cool being able to do it in Linux now, and even cooler to be able to do it through Samba. Goodbye NT file servers. Good riddens!
Navigation
[0] Message Index
[*] Previous page
Go to full version