[kwlug disc.] Authenticating both local and ADS users in Samba

[unsolicited]

Paul Nijjar wrote, On 02/03/2008 2:28 AM:
> I think I am asking for impossible things again, but here goes: 
> is it possible for a Linux fileserver running a Samba share to do
> BOTH
> of the following?
> 
> 0. Authenticate Active Directory user accounts (where an
> Active Directory with Windows 2003 has been set up already). I want
> this to be transparent to the users if possible. 

You answer this below, but you didn't say from where you're coming 
from. OK, from Linux.

> 1. Authenticate using a separate set of user accounts from machines
> that are not members of the domain. (In my case I have a bunch of DOS
> clients that are used for ghost imaging, as well as some WinXP
> clients
> that live in a separate workgroup.) 

> Note that I am only talking about authenticating to a share, not
> authenticating so that Active Directory users can log into shell
> accounts on the Linux machine. 

Same difference. Share access is based on userids/passwords - they 
must be communicated by the caller. I won't get into 'yes, they're 
encrypted', nor 'and you actually get back a SID' sort of thing here.

 From an smb point of view:

(1) Isn't this just two levels of pam authentication? e.g. AD plus 
local /etc/group & password? Pam is supposed to allow multiple 
authentication methods to multiple authenticators. Is this only coming 
in? i.e. Used for dis/allowing access to local things, not for sending 
out access requests?

(2) The machine to authenticate with is inherent to the request. i.e. 
\\{machine}\{share} really causes the machine/client to figure out 
who/how to authenticate. If you go to an AD member, it will go to AD.

	If you go to a workgroup, there is no central authority, so you are 
always authenticating against the local machine.

	Therefore, the answer to you question is, it shouldn't matter. But 
that's not quite correct.

	I don't have experience enough myself, but if you're setting up local 
samba authentication files under linux, you should be able to specify 
the ad or workgroup 'authenticating' agent. (i.e. windows <-> linux 
userid mappings.) So joedomain -> ad/domain, and joemachine -> 
workgroup/user.

	If you are expecting to not have to maintain such files, then the 
request to connect to the samba share should just figure itself out. 
Evidently, from your notes below, that isn't happening.

	An issue I frequently run into is forgetting to put the domain on the 
userid. e.g. '/workgroup/me' or '/domain/me' instead of just 'me'. 
Inevitably the sharing machines default authenticator ends up being 
not the one I expected / wanted.

> I can put up smb.conf files and such on request, but at this point I
> am not even sure Samba can be configured to do what I want. By
> including the following in my configuration:
> 
> security = ADS
> domain logons = no 
> 
> I can get the Linux machine viewed as a client on the AD network, and
> other AD members can log in -- but I can't figure out how to
> authenticate local users. If I go: 
> 
> security = user 
> 
> then I can get clients to log in using local accounts, but I lose
> Active Directory authentication. If I try to get fancy with things
> like
> 
> security = ADS 
> domain logons = yes 
> 
> things break in frustrating ways -- it looks like my Linux client
> becomes a domain controller (which is the documented behaviour).
> Maybe
> that is okay, but then I get other errors (e.g. problems getting
> Kerberos tickets and winbind failures). 

Samba is samba.

For your purposes, you don't really care whether it's a domain logon 
or not. i.e. It's up to the receiving machine to determine if it 
authenticates locally or via AD. By any chance, if you say security = 
user, domain logons = no, and pass the entire \\machine\share string 
in the userid, does it all just start to work?

	Validating against the domain is only really useful in the sense of 
getting your security ticket once, then connecting to multiple shares 
using that ticket, rather than authenticating each time. [But for all 
I know, you may run into the deeply irritating windows problem of not 
being able to connect to the domain twice, with different credentials.]

Isn't there a provision in samba to locally define additional userid's 
groups.

Does it help at all to define these additional users in A.D.?

i.e. I have found, even crossing authenticators, if you keep the 
userids and passwords in sync., good things happen.

Any chance OpenLDAP makes sense here, as a local Linux authenticator, 
configured to talk to AD (as well)? Is that even possible? [If I 
remember John correctly, AD vs. LDAP only really matters to either 
Linux or Windows once you involve exchange. Beyond that, LDAP is LDAP, 
and authentication is authentication.]

> Details: I have tried Debian Etch (Samba 3.0.24) and SuSE 10.1 (also
> Samba 3.0.x) on the server. I am attempting to configure users and
> groups using winbind. The domain controller for the Active Directory
> share is Windows 2003.