Re: [Samba] Unnecessary smbpasswd

Thu, 29 Sep 2005 13:09:30 -0700 

At 12:43 PM 9/29/2005, Jeremy Allison wrote:

On Thu, Sep 29, 2005 at 12:30:35PM -0600, Ric Tibbetts wrote:

> If I understand the process correctly:
>
> User on Windows XP box makes a request to the Samba server.
> The windows box passes the username/password pair to the Samba server.
> The Samba server checks that the user exists on the unix box, and
> (following the "password server = xxx.xxx.xxx.xxx" parameter in
> smb.conf) verifies the username/password from the Windows Domain
> Controller (specified in the "password server = " parameter).
> If the username/password do not exist on the specified password
> server, samba checks the smbpasswd file.
> Once the username/password is validated, the samba server will pass the
> share.
>
> Is the above a fair breakdown, in a very simple implementation?

Close. The Samba server sends a challenge to the client on initial
connect, the client replies on sessionsetup (user logon) with a
username and a cryptographic reply to the challenge based on
the users hashed password.

Now Samba has to authenticate that reply somehow. It can't use
unix passwords as the hashes aren't the same. To do it locally
it can use smbpassword (or a local tdb or an ldap based SAM). To
do this remotely against a Windows DC the Samba server have to
be set up as a member of the domain served by the Windows PDC.
That's where the net XXX (ads or rpc) join comes in.

Once the authentication passes the the Samba server needs to
look up a UNIX user that will represent the logging in client
on this box - that's where you have either local unix users
in /etc/passwd or use winbindd to have remote domain users
appear as local unix users.

Hope this helps,

Jeremy.



Yes, that confirmation helps greatly. I know where the breakdown is now.
Resolving it is another issue, but at least I know where to look.
The problem seems to be that the Windows ADS isn't answering, thus I'm getting the unknown user errors when I take out the smbpasswd. I did the net rpc join, and it did join the domain. So now i need to figure out why it isn't resolving the users/passwords. 
I may be back with more questions, but they'll be getting more specific now.

Thank you! (seriously).

-Ric







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to