Re: [suse-linux-uk-schools] Re: SAMBA setup
Your /etc/smb.conf file contains no information on what type of security is required. If the samba server is to authenticate it's own users in it's own domain, set security = user domain master = yes domain logons = yes encrypt passwords = no This allows Win 95 clients before second release and NT4 clients before service pack 4 to connect to the domain of your linux box. This is because by default, clear text passwords were sent over the network. Since then, Win95SE, Win98, NT service pack 4 onwards and Win2000 all use encrypted passwords by default. In which case you would have to set encrypt passwords = yes This also means you have to have a separate /etc/smbpasswd file to hold the encrypted passwords, whereas using encrypt passwords = no, the normal Linux passwords would be used. If however you wish to authenticate using an existing NT domain, set security = server # The following is just an example, #you put in your own IP address of your own domain server password server = 192.168.7.1 domain master = no encrypt passwords = yes In this case no /etc/smbpasswd file is required however the users of the NT domain still need to be created locally on the Linux box for it to work. As an added thing, I usually edit the /etc/shadow file and place a * where the encrypted password would be. This stops users telnetting to the Linux box. I am assuming you have put on a recent NT service pack 4 to 6a to your server so the need for encrypt passwords to be yes. Regards Bill
Which all brings me to the final problem...connecting to the LINUX box from a remote station. (smbclient //localhost/test -U% works fine)
My test samba config file is:
[global] log level=1 max log size = 1000 socket options = TCP_NODELAY IPTOS_LOWDELAY guest ok = no workgroup=BHEADS (my NT Domain name so that it appears in the right browse list) [homes] browseable = no map archive = yes [printers] path = /usr/tmp guest ok = yes printable = yes min print space = 2000 [test] browseable = yes read only = no guest ok = yes public = yes path = /test
Entering the share from the brwose list on the NT server brings up a logon/password box (which surprises me - as I thought guest logon was ok).
Using a LINUX username and password The subsequent error message on the NT box reads 'The account is not authorised to login from this station'
Is this a problem with encrypted passwords? I add the line 'encrypt passwords= yes' to my smb/conf file (as per page 73, Reilly) and ....testparm doesn't like it.
Later in Reilly it states 'encrypted passwords = yes' which it also doesn't like.
What should it be? Perhaps I should ask NT to do password authenication..
The hosts.deny file only contains a http-rman: all line.
-- Alan Davies Head of Computing Birkenhead School
On Tue 05 Dec, Bill Antonia wrote:
Your /etc/smb.conf file contains no information on what type of security is required. If the samba server is to authenticate it's own users in it's own domain, set security = user domain master = yes domain logons = yes encrypt passwords = no
I assumed that values were defaulted - although not the ones above. For the moment we have an existing NT domain - and I was allowing users that had a LINUX account to access their 'linux home' (and possibly other common areas on LINUX box) from their NT workstation. What kind of 'security' should I use? Share?
This allows Win 95 clients before second release and NT4 clients before service pack 4 to connect to the domain of your linux box. This is because by default, clear text passwords were sent over the network. Since then, Win95SE, Win98, NT service pack 4 onwards and Win2000 all use encrypted passwords by default. In which case you would have to set encrypt passwords = yes This also means you have to have a separate /etc/smbpasswd file to hold the encrypted passwords, whereas using encrypt passwords = no, the normal Linux passwords would be used. If however you wish to authenticate using an existing NT domain, set security = server # The following is just an example, #you put in your own IP address of your own domain server password server = 192.168.7.1 domain master = no encrypt passwords = yes
In this case no /etc/smbpasswd file is required however the users of the NT domain still need to be created locally on the Linux box for it to work. As an added thing, I usually edit the /etc/shadow file and place a * where the encrypted password would be. This stops users telnetting to the Linux box. I am assuming you have put on a recent NT service pack 4 to 6a to your server so the need for encrypt passwords to be yes.
Creating the smbpasswd file - can it be done automatically for all LINUX users? (I note that there appears to be mechanisms for synchronising passwd and smbpasswd files once the entries are there) I want users to telnet to the LINUX box- or at least users that have a LINUX account to be able to telnet....and run kde on their local X server. Can this authorisation be completely controlled from an NT Domain server? But I still need a list of users in the passwd file? -- Alan Davies Head of Computing Birkenhead School
I suggest using the second method where Samba authenticates using another PDC, security = server. This allows users to use their existing NT password to access Samba shares without the need of a /etc/smbpasswd file. Login .bat files on the PDC can automatically connect to the Samba shares without the user being asked for another password during login. Again I would suggest that you may want to edit the /etc/shadow file so that telnet cannot be used. This means you do not have to be concerned with Linux passwords at all unless you wish certain users to have that facility, in which case they would have a separate password. This is the method I use at Beacon CC on our admin network. By using root preexec and root postexec I make connections for our admin users to two Win2000 servers through a Linux gateway without them having to login for each share even though they have a different password on the other network. Samba acts as a stepping stone through the gateway. As of synchronising the passwd file, I've never used it but it seems to be simple Using Samba (O'Reilly), page 177. However I do suspect it requires Samba to be set up as a PDC as it has a /etc/smbpasswd file which when a password is changed automatically updates the password in /etc/shadow. This will mean you would still have two sets of passwords one NT the other Samba, now both in different domains. The alternative is to go the whole hog and make Samba your PDC for your domain and make the NT servers authenticate with it! I could be wrong here as I have not gone down this route. Regards Bill PS Checked my copy of Using Samba (O'Reilly), encrypted passwords are used from NT service pack 3 onwards by default not from service pack 4 as stated earlier. ----- Original Message ----- From: Alan Davies <staff.asd@birkenhead.wirral.sch.uk> To: <suse-linux-uk-schools@suse.com> Sent: Tuesday, December 05, 2000 4:14 PM Subject: Re: [suse-linux-uk-schools] Re: SAMBA setup
On Tue 05 Dec, Bill Antonia wrote:
Your /etc/smb.conf file contains no information on what type of security is required. If the samba server is to authenticate it's own users in it's own domain, set security = user domain master = yes domain logons = yes encrypt passwords = no
I assumed that values were defaulted - although not the ones above.
For the moment we have an existing NT domain - and I was allowing users that had a LINUX account to access their 'linux home' (and possibly other common areas on LINUX box) from their NT workstation.
What kind of 'security' should I use? Share?
This allows Win 95 clients before second release and NT4 clients before service pack 4 to connect to the domain of your linux box. This is
because
by default, clear text passwords were sent over the network. Since then, Win95SE, Win98, NT service pack 4 onwards and Win2000 all use encrypted passwords by default. In which case you would have to set encrypt passwords = yes This also means you have to have a separate /etc/smbpasswd file to hold the encrypted passwords, whereas using encrypt passwords = no, the normal Linux passwords would be used. If however you wish to authenticate using an existing NT domain, set security = server # The following is just an example, #you put in your own IP address of your own domain server password server = 192.168.7.1 domain master = no encrypt passwords = yes
In this case no /etc/smbpasswd file is required however the users of the NT domain still need to be created locally on the Linux box for it to work. As an added thing, I usually edit the /etc/shadow file and place a * where the encrypted password would be. This stops users telnetting to the Linux box. I am assuming you have put on a recent NT service pack 4 to 6a to your server so the need for encrypt passwords to be yes.
Creating the smbpasswd file - can it be done automatically for all LINUX users?
(I note that there appears to be mechanisms for synchronising passwd and smbpasswd files once the entries are there)
I want users to telnet to the LINUX box- or at least users that have a LINUX account to be able to telnet....and run kde on their local X server.
Can this authorisation be completely controlled from an NT Domain server?
But I still need a list of users in the passwd file?
-- Alan Davies Head of Computing Birkenhead School
participants (3)
-
Alan Davies -
Bill Antonia -
Bill Antonia