Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Annoyng Problem with SAMBA?  (security = domain)

Posted on 2003-03-20
Medium Priority
Last Modified: 2010-03-17

I've mounted SAMBA 2.0 on a SuSE 8.1 with the option security = domain on smb.conf.
I've successfully joined the domain with:

% smbpasswd -j DOMAIN -r PDC[a win-2000 server] -Uadministrator%my_admin_password

and I've carefully created the same users on both sides (windows PDC and samba-linux)

from the Windows side all goes well (permissions, shared printer attached to the linux machine, etc)and also from the linux side I've no
problems to enter to my win shares with konqueror (smb://PDC/share).

only an annoyng problem in the linux environment: I must digit the userid/pw every time I copy something from local into the windows share and (after few minutes) also if I want to re-open the win share always with konqueror.

does anybody knows if exist a workaround to this problem?

for me the ideal scenario would be a windows_client-like behaviour on the linux client machine: only the log-in authentication and...all the win shares on the PDC associated to this user available with no more passwords via the konqueror smb://!

thanks a lot in advance fro your reply,

Question by:fabianope
  • 2
LVL 19

Accepted Solution

Gabriel Orozco earned 1000 total points
ID: 8174802
upgrade to samba 2.2.8, and use winbind, which will be the service taking the user/password from the PDC. It's the workaround of the problem, by the samba team

Author Comment

ID: 8179414
hello, Redimido

thanks a lot for your reply

just downloaded the winbind documentation: this weekend I'll give it a try and sunday-monday if all will go OK I'll send you the points

thanks again


Author Comment

ID: 8186026
the linux conf is suse 8.1 e samba 2.2.7a
I've configured winbind following the winbind.html file in the samba package documentation.
1. edited /etc/nsswitch.conf:


passwd: files winbind
shadow: files
group:  files winbind

hosts:        files dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:            files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files


2. edited /etc/samba/smb.conf (following the entire file: excuse the comments in ITA language):

# /etc/samba/smb.conf is the main samba configuration file. See the manual page
# of smb.conf and the included documentation in /usr/share/doc/packages/samba in
# order to understand the options listed here and many more features.
# Lines in this file which starts with ; and # are ignored by samba while
# parsing it. Therefor both signs mark a comment, but here we use a # to
# indicate a real comment and ; for a deactivated option. To activate such a
# feature just remove the leading semicolon.
# We suggest to use the command 'testparm' after any changes you made.
# Copyright (c) 1999 - 2002 SuSE Linux AG Nuernberg, Germany.
# Submit bugfixes or comments to http://www.suse.de/feedback/

#definiamo Aristotele come un membro del Dominio CAS che ha Platone come PDC
      username map = /etc/samba/smbusers
      time server = Yes
      encrypt passwords = Yes
      veto files = /*.eml/*.nws/riched20.dll/*.{*}/
      wins support = No
      unix extensions = Yes

# separate domain and username with '+', like DOMAIN+username
      winbind separator = +
# use uids from 10000 to 20000 for domain users
      winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
      winbind gid = 10000-20000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
      winbind enum users = yes
      winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet/sshd/etc... access)
      template homedir = /home/winnt/%D/%U
      template shell = /bin/bash

      printing = CUPS
      password server = platone
      workgroup = CAS
      os level = 2
      printcap name = CUPS
      syslog = 0
      security = DOMAIN
      log level = 1
#esistono quattro diversi livelli di security:
#      security = SHARE
#livello di sicurezza del WFW 3.xx
#ogni utente dichiarato negli users dello share ha ALMENO il privilegio di read.
#risulta possibile far entrare anche l'utente guest.
#      security = USER
#stting di default in samba 2.0
#all'utente e' chiesto di identificarsi solo una volta al momento del login
#l'userid/pw fornito h confrontato con quello contenuto nel server.
#tenuto conto che le pw possono essere spedite in chiaro conviene configurare samba come segue:
#      encrypt password = yes
#      smb passwd file = /etc/samba/smbpasswd
#in modo da evitare totalemente l'uso di etc/passwd e di etc/shadow
#      security = SERVER
#in questo modo il meccanismo di autenticazione viene "scaricato" non sulla macchina locale
#ma su uno o piy  server definiti su
#      password server = NOME_SERVER1 NOME_SERVER2
#      security = DOMAIN
#stessa cosa dell'opzione precedente in cui perr l'autenticazione h affidata ad un PDC e/o BDC
#volendo possiamo limitare il numero delle connsesioni (commentato):
#      max connections = 8
#da notare che
#      max xonnections = 0
#permette un numero arbitrario di connessioni simultanee.

#possiamo anche escludere arbitrariamente degli hosts dalla connessione (commentato):
#      deny hosts =
#esclude tutti gli hosts da a

#Permettiamo ad ogni utente di accedere alla sua home directory in lettura/scrittura:
      browseable = No
      writeable = Yes

#nell'esempio, browseable = No sta ad indicare che lo share non risulta visibile ad utenti diversi
#da quello corrispondente alla home.

# The following share gives all users access to the Server's CD drive,
# assuming it is mounted under /media/cdrom.
;      comment = Linux CD-ROM
;      path = /media/cdrom
;      locking = No

      comment = All Printers
      path = /var/tmp
# Make printers accessible without user authentication.
;      guest ok = Yes
      printable = Yes
      create mask = 0600
      browseable = No

# This share provides printer driver down- and upload in an Windows NT-style
# point-and-print way. For more detailed information consult the Printing
# Support Section of the Samba-HOWTO-Collection. For uploading take extra care
# to add the printer admins to the group lp.
      comment = Printer Drivers
      path = /var/lib/samba/drivers
# Make printer drivers accessible without user authentication.
;      guest ok = Yes
      write list = @ntadmin root
      force group = ntadmin
      create mask = 0664
      directory mask = 0775

#create mask e directory mask hanno lo stesso compito del chmod.

#Apriamo a tutti gli utenti 192.168.0.x la directory /tmp sia in lettura che in scrittura
#se la si vuole aprire solo a fabianope togliere il commento a valid users e metterlo a public.
#a fabianope-gnome la apriamo invece solo in lettura (commentato)
#       valid users = fabianope, fabianope-gnome
      public = yes
      path = /tmp
      read only = no
#      read list = fabianope-gnome
#infine assicuriamoci che gli utenti non possano seguire links che escano da /tmp:
      follow symlinks = yes
      wide links = no

#Apriamo infine a tutti gli utenti samba una directory pubblica solo in lettura
      path = /home/samba/public
      public = yes
      writable = no
#commentiamo l'opzione di renderla scrivibile solo a fabianope:
#      write list = fabianope
#per finire un ultimo esempio di share preso da linux magazine:

      path = /home/samba/shared_progs
      comment = shared programs directory
      writeable = no
      write list = fabianope, fabianope-gnome
      read list = @users
      admin users = fabianope
#qui da notare che i privilegi di scrittura "soverchiano" quelli di lettura dati al gruppo users (a cui appartiene anche fabianope)
#da notare che poi fabianope con privilegi di admin risulta "root" all'interno della directory sharata,
#anche se di fatto non ha questi privilegi nel sysop (etc/passwd).


3. edited etc/pam.d/login:

auth     requisite      pam_unix2.so            nullok #set_secrpc
auth       required      pam_securetty.so
auth       sufficient      pam_winbind.so
auth     required       pam_nologin.so
#auth       required      pam_homecheck.so
auth     required       pam_env.so
auth       required      pam_mail.so
account       sufficient      pam_winbind.so
account  required       pam_unix2.so
password required      pam_pwcheck.so            nullok
password required       pam_unix2.so            nullok use_first_pass use_authtok
session  required       pam_unix2.so            none # debug or trace
session  required       pam_limits.so

-all the demons (smb, nmb, winbindd) starts successfully
-I can see all the NT users with wbinfo -u
-I can see all the NT groups with wbinfo -g
-I can see all the user data with getent passwd
-I can see all the group data with getent group


-I can't login into the linux machine with an NT user (say DOMAIN+administrator), also if it's suggested onto the login window.
-I can't find the "new" NT-users inside /etc/passwd: is it normal?
-I can't find the directories of these users as presented in
#getent passwd
they've the form of /home/winnt/DOMAIN/user
should I build them at hand?
-everyway, YAST->security and users->edit and create users doesn't allow me to modify che NT users
(aKa DOMAIN+user) because it says that "+" is an invalid character in the username!

I've added more point to the question.

thanks a lot



Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month11 days, 23 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question