I use samba 3 on my Raspberry Pi. I want to use an 1:1 mapping between linux and Windows NT (Windows 8) users. At this point I have the following config for samba:
server role = standalone # not working! unkown parameter! (testparm -v)
local master = yes
os level = 33
client NTMLv2 auth = yes
guest ok = no
server string = %h server
wins support = yes
dns proxy = no
# Auth
security = user
encrypt passwords = true
obey pam restrictions = yes
unix password sync = yes
auth methods = sam
domain logons = no
# winbind enum groups = yes
# winbind enum users = yes
## shares ##
[testdir]
path = /home/testdir
valid users = %U
browseable = yes
writeable = yes
create mode = 0600
directory mdoe = 0700
read only = no
[homes] # not working!
path = /home/%U # have tried with %S
valid users = %U
browseable = yes
available = yes
guest ok = no
But the home shares doesn't work and I think there is a problem with the user mapping, because I can't access the home directorys (network path not found) and windows doesn't say: Sebi (Unix User), but \smart-server\Sebi:
Output pdbedit -L:
Ignoring unknown parameter "server role"
Sebi:1000:
Windows share properties (testdir (working!)):
I think this is a problem with the user mapping, because pdbedit -Lv outputs SIDs instead of UIDs. Does anybody know how I can configure my samba to work as a simple share with 1:1 between unix and windows NT users. I doesn't know what I'm doing wrong.
There Are two ways to have 1:1 mapping of accounts between computers. The first is synchronization. This is where you copy accounts by hand or by script between machines. I think this is what you tried to do, but windows does not work well when trying to do this. (there are other problems with this approach which has led to the second approach)
The second way is a directory server. There are lots of directory servers out there. Sun came out with NIS, There is DAP and LDAP which have multiple implementations including folks like SAP, Red Hat, Oracle and Novel. But in a windows environment the dominant Directory server is Microsoft's Active Directory which is part of windows server. (Prior to windows 2000 there was a simpler service that is called NT domain login, which still can be used in some cases.)
Now If you don't want to shell out the big bucks for windows server samba has a protocol compatible directory server. samba 3 uses NT domain logins to serve account information, and samba 4 is compatible with active directory. The general way you use samba 3 to provide accounts to windows is to make samba a primary domain controller, and then join windows to the domain you just created. The accounts are then drawn from your passwd file (or wherever NSS maps your account information), but your passwords have to be stored in samba. Samba 4 is a similar process, but newer and all account information must be stored in samba and you must also join your linux box (Raspberry PI in your case) to the domain with winbind.
On the other hand if you have windows server just laying around you could also create your domain there and join all your machines to that domain, again using winbind for linux.
One of the complications of using winbind is assigning or mapping UIDs for linux. It is not complicated, but you have to pay attention.
If you noticed that I have skipped some details, you have a gift for understatement. There are books on this subject that miss important details. You have some reading to do.
Related
I'm trying to setup OpenLDAP server and client on linux (Centos). After searching around a bit, my understanding is gidnumber and uidnumber work like uid and gid on unix, to identify a unique user and group. My question is
is there relationship between these LDAP and linux IDs? should the LDAP ones be the same as a user's uid/gid on linux (if I have such user already on the server host)?
If not, after a client authenticate a user, the user creates a file on the client host, what would the user/group linux ownership of the file looks like?
thanks
Yes, and therefore
Not applicable.
BG:I have build samba in redhat linux, and share a folder, then access the share folder from windows.
As the following shows, the connection information can be got via command "smbstatus"
[root#Redhat6 pam.d]# smbstatus
Samba version 3.5.10-125.el6
PID Username Group Machine
-------------------------------------------------------------------
8303 leon domain users win0832mc (::ffff:10.204.176.73)
we can get the user, the group of domain, then how to get the domain information?
Could please you help me on this? thanks.
User name shown by smbstatus is the name of the local user, not the user which connected to the share. The original name might have already been transformed with the help of 'username map' option in smb.conf.
Supposedly, you have one-to-one name mapping between incoming users and local POSIX users. In this case you can use 'wbinfo --uid-to-sid leon' to get Security Identifier (SID) of the user 'leon', and as next step do 'wbinfo --sid-to-fullname sid' to convert SID to fully qualified user name (DOMAIN\user).
Is it possible to setup an SVN authz file to use linux server groups?
To try to give a bit more detail/an example, say I have and SVN authz file as follows:
[groups]
developers = linuxUserA, linuxUserB
reviewers = linuxUserC
endUsers = linuxGroupA <- can I insert a Linux group here
[/project]
#developers = rw
#reviewers = r
[/project/downloads/]
#endUsers = r
userA, userB and userC all exist as Linux users, and are granted access as expected. However, members of linuxGroupA don't seem to be granted access (in this example to the downloads folder).
So, can the svn authz be configured to refer to a linux group, whose members will get access (to say the downloads folder above)?
No
Right side inside [groups] section is always list of authz-file's objects (another groups, aliases, users)
You can build string endUsers = ... by processing /etc/group and outputting linuxGroupA's final users into authz file
I need to login using kerberos on a unix machine to call a URL using a windows network. I can use the useTicketCache=true in windows and everything works fine. How do I do this from a unix box and just pass in the user/pass to my java program instead of using the ticket cache?
This is not the way you should go. The human itself should obtain the TGT on Windows logon. You access the TGT then ot obtain a service ticket from KDC.
If your unix setup does not use winbind to perform auth, so you don't have access to a prepopulated credential cache, you have three options:
Use winbind to manage your unix users in AD
Perform a unix kinit
Pass a Username and/or PasswordCallback to new LoginContext.
I would favor 1 or 2.
Option two would work like this from Java:
Runtime.exec("kinit " + upn);
// Obtain the input stream of the forked process
is.write(password);
// Check exit code
Now you have a native valid TGT in your credential cache. Java can pick this up now and request further service tickets.
I'm use an Debian based OS here on my work an i've configured the service for test routines of ERP app...
This service (Tomcat+Java service) it's consumed via HTTP on intranet correctly...but the test leader sometimes need chance the database used by service application and uses SSH to access my machine to change database on config file and restart the service...eventually this person change some service or O.S. config throwing problems to me (on my O.S and others things..).
What i want know is if can i change my password only for SSH service (doesn't change to my KDE/Gnome session), just because the company's policy requires everyone to have a default password on stations...
Remebering that i'm a manager of config, maintenance and others jobs of service to test team...and change database solicitations can made to me.
A simple example:
KDE login if user 'carlos' and password '123456'
SSH login if user 'carlos' and password '4nyJokeHere'
That it's possible ?
Thanks in advance.
Possible? Maybe. You'd probably have to fiddle with pam.d to get SSH authenticating via a different mechanism to KDE etc.
Coming from a different angle, I may be missing something, can you not create a second user for the SSH process, keeping your main user for KDE etc cleanly separate?
I'd really strongly recommend trying to "split" a user into multiple purposes/security groups with differing passwords for each!
You can use authorized_keys to restrict the SSH commands available, and/or sudo...
Update: Some expansion on the subject as requested by the OP
You can limit commands available via SSH by using ~/.ssh/authorised_keys file - see O'Reilly for a good explanation.
I'm was solved this case applying a single rule here. On SSH service i'm was locked access of my user 'carlos --> sudoers' and enable access only for a user called 'padrao' (padrao translated to english is 'default').
This user 'padrao' doesn't have sudoers permissions. If i needed access with SSH my machine i'm do:
ssh padrao#my.intranet.machine
password: ***
$ su carlos
password: ***
This is not the best way to solve, but solved my problem here.
Thanks.