SAMBA again

Roger Oberholtzer roger
Fri Nov 18 05:26:45 PST 2005 

On Wed, 2005-11-16 at 12:16 +1100, James McDonald wrote:
> > I have been trying to get a Windows Primary Domain Controller (PDC) to
> > validate users for my Linux SAMBA. I seem on the verge of getting it to
> > work. I have one question I don't see a proper answer for:
> >
> > When I join a domain, the docs say to log in as 'administrator'. Is this
> > a requirement that you be administrator on the PDC, or just sloppy
> > documentation? There is no way in hell your average admin is going to give
> > out administrator accounts/passwords to linux boxes scattered around the
> > net so that their samba servers can do authentication. Is it perhaps that
> > you just need a user on the PDC with some specific rights? I have not
> > found these documented in such a away that I can communicate these to out
> > local PDC admin. I just see references to 'administrator'.
> >
> > Where in SAMBA/winbind do you configure the name/password of the user
> > you should use to join the domain?
> >
> > Talk about an area with bad documentation. There is lots of it. But it
> > is mostly bad. I have read so much, and it does not always help. The
> > suggested By-Example book does not, that I could identify as such, give a
> > step-by-step COMPLETE guide to joining a domain to authenticate users. You
> > always get one bit here, a disconnected bit there, and so on.
> >
> 
> 
> This is how I do it.
> 
> This assumes that you have a windows 200x server and active directory. I
> haven't  seen an NT4 box in years so I'm not much help with that.
> 
> In windows 200x you can be a normal user to add a workstation to the
> domain so all you have to do is autheticate as a normal user... don't know
> about NT.
> 
> This is configured on a Debian Box
> 
> I follow the instructions as in the swat tool here.
> 
> http://localhost:901/swat/help/Samba-HOWTO-Collection/domain-member.html#ads-member
> 
> You may also want to include pam_mkhomedir.so so that a new user logging
> on get's a home directory created automagically.

I am not really after anyone logging in in the sense they can run
commands. I only want to authenticate user access to various shares the
SAMBA server has. Using the authentication from the PDC.

Your link is an example of incomplete or inconsistent docs (from my
POV):

Is the user in the "kinit USERNAME at REALM" command the same user as the
one in the later "net ads join -U Administrator%password" command. If
not, who is the one in the kinit command? If he IS the admin, won't the
first use of the name in the earlier kinit command mess up the later use
in the 'net' command?

If an administrator account has already logged in and things did not
work, nothing can be done until that admin's account is somehow reset.
During testing this will happen many times. How does one reset the
Admin's account to allow this virigin state? Can it be done from the
Linux 'net' command? 

Keep in mind that through all this I have very limited access to the
Windows server. Just what I can get the IT guy to do.


-- 
Roger Oberholtzer
OPQ Systems AB

More information about the Linux-users mailing list