Search code examples
linuxunixauthenticationsambanetwork-share

Samba authentication and linux user mapping

I use samba 3 on my Raspberry Pi. I want to use an 1:1 mapping between linux and Windows NT (Windows 8) users. At this point I have the following config for samba:

server role = standalone # not working! unkown parameter! (testparm -v)
local master = yes
os level = 33
client NTMLv2 auth = yes
guest ok = no
server string = %h server
wins support = yes
dns proxy  = no
# Auth
security = user
encrypt passwords = true
obey pam restrictions = yes
unix password sync = yes
auth methods = sam
domain logons = no
# winbind enum groups = yes
# winbind enum users = yes
## shares ##
[testdir]
path = /home/testdir
valid users = %U
browseable = yes
writeable = yes
create mode = 0600
directory mdoe = 0700
read only = no
[homes] # not working!
path = /home/%U # have tried with %S
valid users = %U
browseable = yes
available = yes
guest ok = no

But the home shares doesn't work and I think there is a problem with the user mapping, because I can't access the home directorys (network path not found) and windows doesn't say: Sebi (Unix User), but \smart-server\Sebi:

Output pdbedit -L:

Ignoring unknown parameter "server role"
Sebi:1000:

Windows share properties (testdir (working!)): Windows share security

I think this is a problem with the user mapping, because pdbedit -Lv outputs SIDs instead of UIDs. Does anybody know how I can configure my samba to work as a simple share with 1:1 between unix and windows NT users. I doesn't know what I'm doing wrong.

Solution

  • There Are two ways to have 1:1 mapping of accounts between computers. The first is synchronization. This is where you copy accounts by hand or by script between machines. I think this is what you tried to do, but windows does not work well when trying to do this. (there are other problems with this approach which has led to the second approach)

    The second way is a directory server. There are lots of directory servers out there. Sun came out with NIS, There is DAP and LDAP which have multiple implementations including folks like SAP, Red Hat, Oracle and Novel. But in a windows environment the dominant Directory server is Microsoft's Active Directory which is part of windows server. (Prior to windows 2000 there was a simpler service that is called NT domain login, which still can be used in some cases.)

    Now If you don't want to shell out the big bucks for windows server samba has a protocol compatible directory server. samba 3 uses NT domain logins to serve account information, and samba 4 is compatible with active directory. The general way you use samba 3 to provide accounts to windows is to make samba a primary domain controller, and then join windows to the domain you just created. The accounts are then drawn from your passwd file (or wherever NSS maps your account information), but your passwords have to be stored in samba. Samba 4 is a similar process, but newer and all account information must be stored in samba and you must also join your linux box (Raspberry PI in your case) to the domain with winbind.

    On the other hand if you have windows server just laying around you could also create your domain there and join all your machines to that domain, again using winbind for linux.

    One of the complications of using winbind is assigning or mapping UIDs for linux. It is not complicated, but you have to pay attention.

    If you noticed that I have skipped some details, you have a gift for understatement. There are books on this subject that miss important details. You have some reading to do.